Conditional Access in Outlook on the web for Exchange Online
Published Oct 04 2018 05:26 PM 135K Views
Microsoft

 

We live in a world where employees want to use a wide range of devices; this includes corporate owned assets, as well as their personal devices, and public or shared devices.  While we want everyone to be empowered to work productively, we need to ensure we protect corporate data.

 

The freedom to work fluidly, independent of location, has become an expectation as has the freedom to access email and documents from anywhere on any device—and that experience is expected to be seamless.  However, data loss is non-negotiable, and overexposure to information can have lasting legal and compliance implications. 

 

Exchange Online and Outlook on the web have been investing to ensure we are able to respond to evolving security challenges.  We start this journey by introducing Conditional access policies for Outlook on the web.  Conditional access provides the control and protection businesses need to keep their corporate data secure, while giving their people an experience that allows them to do their best work from any device. 

 

Last week at the Microsoft Ignite conference we announced and demoed how to configure conditional access new policies.  These policies will restrict the ability for users to download attachments from email to a local machine when the devices are not compliant.  With the power of the Office Web Apps, users can continue to view and edit these files safely, without leaking data to a personal machine.  If you instead want to block attachments fully (when on a non-compliant device) we also support that!

 

Steps to Configuring Conditional Access / Limited Access for Outlook on the Web

To configure Outlook on the web Conditional Access follow these steps:

  • Connect to Exchange Online Remote PowerShell Session
  • Create a New OwaMailboxPolicy or Edit your existing one

 

Set-OwaMailboxPolicy -Identity Default -ConditionalAccessPolicy ReadOnly

 

  • Configure an Azure Active Directory Conditional Access Policy in the Azure Portal

    AzurePortal1.PNG

    Figure 1: In the new policy enable Exchange Online in the App Selection


    azureportal2.PNG

    Figure 2: Enable App Enforced Restrictions for Session Controls

To learn more about conditional access in Azure Active Directory see this.

 

Once you have properly configured the Polices in both Exchange Online and in Azure Portal your users that are in non-compliant devices will start getting the Limited Access Experience.

 

Fig 3.png

Figure 3: Notice that the download, as well as enabling Offline access options have been removed

 

Fig 4.png

Figure 4: The Office Web Editors will also have a banner informing the user that they have reduced capabilities due to their device compliance state.

 

We look forward to hearing how this works for your organizations!  We will continue to invest in ensuring that we provide the right level of access to your users so they can stay productive, all while protecting your corporate data.

 

David Los

53 Comments
Steel Contributor

This looks great thanks! Will the ability to modify the OWA policy extend to the GUI in Exchange Admin Centre?

Copper Contributor

Hello David,

 

Can you please clarify what license is required to deploy this feature? Do I need a AAD P1 / P2 or is part of Office E1 subscription?

 

Thank you,

Catalin ROMAN 

 

Steel Contributor

You'll definitely need AAD P1 and above for conditional access. We have an E3 licence with and EMS subscription.

Microsoft

In case you want to see a demo. @David Los did a great session at Ignite last week.

Iron Contributor

Capture.JPG

I have done this command worked also in powershell but it didn't apply to my users which i assigned via conditional access policy. Please help me out in this!!

Iron Contributor

Even it doesn't reflect on to OWA of the user which I applied via conditional access. Sharing you the screenshot for the same.

 

offline.jpg

Deleted
Not applicable

First of all, this is a great improvement - thanks! :)

 

Now a question: will this ability to stop users accessing/downloading files and data extend to all other areas of Office 365? e.g. One Drive.

 

I want to be able to restrict users from logging on to their own home machines, or potentially some other unauthorised machines, and then accessing and downloading data to them - the reason being to protect our data by only allowing it on our company machines which we have full control over.

Copper Contributor

Very cool stuff.  Does this require AD FS similar to how attachment handling required it for public/private network via OwaMailboxPolicy?  In other words, for clients that are doing PTA and not doing AD FS, can they leverage this?!?!

 

UPDATE: AD FS is not required.  This is quite cool.  What is not entirely clearly explained, although this is simple enough to figure out, is that you must turn this paramteer on for policies that are already mapped to user in exchange.  For the person above who is not seeing the change, make sure you have update the OWA policy being applied to the user, and then make sure you are logging in with a fresh session and you should see restrictions in place.  So if a user is not being given the default OWA policy, then you must change that policy to be conditional access enabled such that you can drop them into read only via conditions from the conditional access rule.  This is very cool, and yes we have wanted this for a long time - bravo Microsoft.  I was testing with an accoun that had legacy OWA test policies and I had not updated the parameter (-ConditionalAccessPolicy) on the correct policy :)

Microsoft
David Gorman - Thank you for interest in this feature!  At this time, we don't have a plan to introduce this to the admin portal.  We will likely keep management of the OWAMailboxPolicy via Powershell.
Microsoft
Mitul Sinha - Thanks for trying out Conditional Access for Outlook on the Web.  A couple of follow-up questions
 
 
 
.  Did you create a new OWA Mailbox Policy and assign it to your test user?  (Set-CASMailbox)?  Did you configure the policy also in the azure portal?  After you create the policies in both places it will take a couple of hours for it to become active.
Steel Contributor

@Deleted

You can prevent non-compliant devices from downloading files from OneDrive. You need to look at the Sharepoint Admin page and "Access Control".  Select "Limited Web Only Access or Block" depending on what you want. You then need to create a Conditional Access policy for Sharepoint and under "Access Control" select "Use App Enforced Restrictions".

 

If you have the advanced version of "Microsoft Cloud App Security"  you can do the same thing.

 

 

Copper Contributor

Tested and all worked fine. The biggest issue is how to get a device marked as compliant. We don't have Intune but we do have AAD P1/P2. Is there a way to force a device as compliant based on criteria I can control without Intune ??

We use Blackberry UEM 12.9 ($%#%$@%%)

Deleted
Not applicable

Hi David, 

 

In the Access Control/Grant section, do we have to do something there like selecting Require device to be marked as compliant or Require Hybrid Azure AD joined device? or just leave it blank?

Copper Contributor

Hi,

 

This is working very nicely thanks - however, copy paste still works (eg: from an Excel/Powerpoint/email) - any option or idea to disable/restrict that too?

 

Many thanks,

Tamas

 

Deleted
Not applicable

Hi,

 

First feedback from customers is that the option is great, but the message is not always very clear for the end-user.

Can this message be changed or can this option be added?

The user that they have reduced capabilities due to their device compliance state.

 

Many Thanks,

Jurgen

Copper Contributor

Hello, 

Is there a way to set Conditional Access to Exchange Online based on time of day?

Microsoft

Les - We do not support time based configuration for Conditional Access.  Do you mind sharing a bit of detail on why this would be something you would like to see?  How would you use it?

 

Thanks!

David Los


Copper Contributor

 David, 

Thanks for the reply.

This is a client request.  The client is a large Law firm with a call center.  The request is to restrict the call center users from accessing Exchange Online during non business hours due to potential sensitive information. 

Copper Contributor

Very nice extension to OWA policy and I can leverage AAD conditions to control when this is applied.

 

There is an enterprise ask to limit additional features in one of these type sessions. One business unit wants their users to see calendar only for instance. Due to data loss concerns, our security team would also like to disable printing - although we try to explain that you can copy HTML content from a browser window no matter what we do.

 

Are there any plans to extend the other controls in an OWA policy to be part of the 'Limited Experience'? I see a section but cannot edit it called "ConditionalAccessFeatures".

 

It would almost be great if I could apply a particular OWA policy instead of just Public/Private computer distinction. Such as, "user normal policy" for everyday access and "user limited experience policy" for certain conditions.

Copper Contributor

Will the read only feature apply to users using the Outlook desktop app?

For example, I want to make sure users don't install Outlook on grandma's PC and be able to download attachments.

 

 

Microsoft
@Patrick F wrote - 

Will the read only feature apply to users using the Outlook desktop app?

For example, I want to make sure users don't install Outlook on grandma's PC and be able to download attachments.

You can actually do similar Conditional Access Policies for the office apps.  In the example I walked through, we restricted to just the Web apps (Outlook on the Web).  However, you can create a policy that restricts the Windows apps. 

 

What you are describing, you might actually want to explore the On/Off Network Policy section of Conditional Access.

Microsoft

@JMSIII wrote: Very nice extension to OWA policy and I can leverage AAD conditions to control when this is applied.

Really happy to hear you are liking this feature!  I think it really helps protect data, while still enabling our users to access data in a rich experience!

 

There is an enterprise ask to limit additional features in one of these type sessions. One business unit wants their users to see calendar only for instance. Due to data loss concerns, our security team would also like to disable printing - although we try to explain that you can copy HTML content from a browser window no matter what we do.

 Right now we don't have anything on our roadmap to limit large portions of the app, such as restrict to only Calendar when not on a compliant device.  However, can you provide a bit more details on why they would want this?  Calendar items can have just as sensitive data in them as their email.  Plus as you know creating calendar invites relies on mail as well.

 

For printing, even if the Outlook on the Web app removes and hides all of the printing functionality, this would not be able to disable the print functionality that is right in the browser.  The web app isn't able to disable that functionality.  Does just hiding the print buttons in our app help?

 

 

Are there any plans to extend the other controls in an OWA policy to be part of the 'Limited Experience'? I see a section but cannot edit it called "ConditionalAccessFeatures".

 Right now, we don't have anything to share.  However, we are keeping a very close eye on how everyone wants to see this scenario grow.  So offer up all of your feedback, we are for sure listening! 

 

Iron Contributor

@David Los Would this allow users on non-compliant devices to access Teams in a limited capacity?

Brass Contributor

What happens to users without Intune licenses or where excluded from Azure Conditional Access policies?

Will users need to have compliant devices regardless of Conditional Access policies & licenses assigned?

Copper Contributor

Is there a way to force a device as compliant based on criteria I can control without Intune ??

Unfortunately Microsoft still shows no attitude to let other device management solutions than Intune to set the compliance status for iOS, Android and macOS devices. Only Windows 10 has an open management API for others. A very sad story.

 

Copper Contributor

@David Los 

 

This is a great video, but I don't understand the pro/cons best practices to using "App enforced Restrictions" vs. using "MCAS Conditional Access App Control"

Iron Contributor

@Peter Meuser JAMF can also set the compliance state for Macs.  I'm not sure if it can also do it for iOS or not. 

 

@Jonathan Schaumloeffel My understanding is that App enforced restrictions are basically a light version of MCAS Conditional Access App Control that doesn't require an E5 level license.  From what I can tell from testing with app enforced restrictions, it actually uses MCAS, just with a more limited set of capabilities.

Copper Contributor

I was able to test this policy using trusted location as one of the conditions. When the restricted Read control is applied it works fine for Office and PDF files (preview and save to one drive), Unfortunately it totally blocks image files (Jpeg, png etc and txt file types) from being saved to one drive.

 

Surely it should let your save other file types to Onedrive? 

Microsoft

Hi Hitesh -

 

I was able to test this policy using trusted location as one of the conditions. When the restricted Read control is applied it works fine for Office and PDF files (preview and save to one drive), Unfortunately it totally blocks image files (Jpeg, png etc and txt file types) from being saved to one drive.

You should be able to save directly to OneDrive even if you are not on a compliant machine.  Are you using the new Outlook on the Web experience or the old version?  It might be a bug that we can investigate.

Copper Contributor

@Greg_C_Gilbert so it is using the MCAS Reverse Proxy for App enforced restrictions? That seems contrary to what I have heard. 

Copper Contributor

I have tested "App based restrcition" session based condtional  access to block user to download Files from OWA on unmanaged device. It is blocking file download and giving limited acces to unmanaged device, that's fine but why it is giving same experience on Managed device too, can anyone help me here. It would be grt help.

Iron Contributor

@Sonam Singh Chouhan It is for global not for managed or unmanaged devices because you will create policies tenant wide which applies on both managed and unmanaged platforms! So the article heading is wrong posted here! Should you have been any queries kindly refer my article how it works https://www.linkedin.com/pulse/full-command-over-outlook-web-now-conditional-access-policies-sinha/

Copper Contributor

@Mitul SinhaI know the whole process but it should not block Managed device. If anyone can help me here.

Iron Contributor

@Sonam Singh Chouhan I am still in dilemma to answer your question as why should I apply this policy to my managed devices which are already secured as Compliant Devices!! @Oliver Kieselbach @David Los If you could help her in understanding the same!

Copper Contributor

CA and OWA mailbox policy applies to users, after implementing this policy why corporate devices are getting limited access, it should not be the case, right. Have you tested both senario.

Iron Contributor

@Sonam Singh Chouhan That's really a conflicting point here as per the article being mentioned here but let me grab your attention on to the devices part as we are not applying on a platform level here, we are targeting only to the users and we also haven't performed based on Compliant level policies so I'm afraid to tell you that this article is having some gaps as it is explaining you only about OWA policies how to get restricted upon the document downloading or no access of images files if you apply OWA mailbox policy with CA app enforced restrictions from any devices BYOD or Corporate! Meanwhile I am about to get the results from my tenant for your questions will answer the same soon!

Brass Contributor

Would this in conjunction with setting Enforce App restrictions in SharePoint to "web access only" for unmanaged devices, prevent the user from attaching files from One Drive and SharePoint?.

 

Iron Contributor

@AndyfF360 That you can set up from SharePoint Admin Center itself going to Access control option and also you need to setup some changes to conditional Access policies if you are looking to apply to specific users but this will be applicable only to OneDrive and SharePoint not to Outlook on Web part! For Exchange online limited access to users you must have to use app enforced only option from Conditional Access Session tab! 

Sharepoint and OneDrive Limited Access settings from Access Control using SharePoint Admin CenterSharepoint and OneDrive Limited Access settings from Access Control using SharePoint Admin Center

Copper Contributor

Is there any capability in Exchange Online, Microsoft 365 or Azure to limit the ability to copy content from Exchange Online?

Iron Contributor

@John_Igbokwe Hello I am afraid to inform you that within Exchange Online there is no option but yes for restricting copy/paste/cut all you need to apply MAM policies from App Protection where we will target the Approved Client Apps - Exchange Online from Conditional Access Policies using Microsoft Intune via Enterprise Mobility+Security. I know your next question may be about EM+S (Enterprise Mobility+Security) so I would like to tell you that Microsoft 365 is having several plans where EM+S is a part of it like M365 Business, M365 Enterprise Plans and M365 F1 so you can go through EM+S separately from this link Enterprise Mobility + Security Features which will give you Microsoft Intune as a workload to apply all your relevant queries and will resolve your issue!!

Copper Contributor

@Mitul Sinha Thanks for your response. I have already configured and deployed MAM policies from App Protection and also configured conditional access to only allow limited experience in Exchange Online  (no downloads or printing), but neither App protection nor conditional access policies prevents copy/paste when a user accesses Exchange Online from a web browser. Please let me know if your experience is different. Thanks!

Iron Contributor

@John_Igbokwe Could we say that why not use Intune Managed browser rather accessing Exchange online from third party browser such as Safari, Chrome, Firefox, Internet Explorer, Edge etc.. I will allow users to make sure that they will access all online version apps from an Intune Managed Browser and block these third party browsers from App protection/Conditional Access Policies!! Let me know if this helps..

Copper Contributor

@Mitul Sinha Even with Microsoft Edge - which is an enlightened app, you can copy/paste from Exchange Online when accessed from Microsoft Edge.

Iron Contributor

@John_Igbokwe I knew that and so that's the reason said you about using Managed Intune Browser where we can look for data transfer between Policy managed apps only!

Copper Contributor

@Mitul Sinha To clarify, I am talking about accessing Exchange Online from a Microsoft Edge browser on a Windows 10 computer ... I found that there is no MAM app protection policy and/or conditional access policy that can restrict copy/paste from the Edge browser. 

Iron Contributor

@John_Igbokwe I can understand it is not there we need to check with Microsoft will provide the feedback for Windows 10! Thank you for the concern.

Copper Contributor

Two questions if I may:

  1. Can I set this up for Browser Only?  I already have a CA policy that restricts Desktop and Mobile apps from access unless they are Hybrid Azure AD Joined/Compliant.
  2. Can I use Device conditions with this to specify just Windows and Macs?  I don't want to affect my mobile users who are already using App Protection (MAM) policies rather than enrollment so are technically unmanaged devices.  In the past changes that I made to CA policies to restrict access for unmanaged devices tried to force the mobile devices to enroll to become compliant. Didn't work out well.  
Iron Contributor

@Derek Pickell -  Let me tell you one thing for Mobile Apps and Desktop Client Apps (Windows OS) perspective you can have restrictions from MAM policies with or without enrolment! I am afraid to say for MacOS functionality from App Protection Policy but for iOS, iPadOS, Windows, Android Devices MAM and MDM both can be worked together so even if you push MDM policies marking device as compliant there's no issue you can still apply MAM policies on to Enrolled Devices and Unmanaged Devices to have restrictions of Cut/Copy/Paste, Printing or backing up in local system. For Document restrictions/attachment protection downloading and all go with AIP policies if you are looking to protect on to Mobile or Desktop Client Apps!

Copper Contributor

You misunderstand, my question is not about MAM at all.  Or about Mobile apps and Desktop clients.  I must have done a really poor job communicating this initially for you to get it so backwards. I'll try to clarify.
My questions were:
"Can I use Device Platforms under Conditions in this CA policy to specify just Windows and Macs so that iOS and Android aren't impacted?", and
"Can I select just Browser in the Client Apps part of Conditions so that I am not selecting Mobile Apps and Desktop clients?".  

Iron Contributor

@Derek Pickell If you are talking about the above article OWA policy for restriction of Downloading and offline access then it is applicable to OWA only not on to Application level be it Desktop or Mobile App! And if you try to achieve the same OWA restriction policy only to Windows and MacOS then yes very well possible need to uncheck Android and iOS platforms!! And it is not even required to choose the conditions tab just because you are looking to apply policy on to platform level then set the policy only for Platform level. From Client Apps perspective this is not even required as this policy works only for the Browser level access i.e. OWA limited access! Kindly go through this article given above else you can check my article as well in LinkedIn:  https://www.linkedin.com/pulse/full-command-over-outlook-web-now-conditional-access-policies-sinha/

 

Version history
Last update:
‎Oct 04 2018 05:26 PM
Updated by: