New Outlook opens security hole

Copper Contributor

Hello,

We just tested the New Outlook and discovered that it allows users to add personal Gmail accounts to their Outlook profile. We have intentionally blocked 3rd party email services to prevent data loss. We don't ever want an end user to be able to send out confidential corporate information with their personal email account. Is there no way to disable this 'feature' for our tenant? You are now effectively bypassing all the data loss prevention security we have put in place around email, including explicit blocks for Gmail and Yahoo on our firewall. 

24 Replies

66 views but no replies. Am I in the correct forum for asking this question? 
Any suggestions from anyone on where I can post this question and get Microsoft's attention? This is a pretty serious security concern. Just because you can allow users to add personal email accounts to Outlook doesn't mean all business are OK with that. We need to be able to choose. 

Hello,
but the old Outlook also allows users to add personal Gmail accounts to their Outlook profile, isn't it?
The old outlook allows you to block via policy. The new outlook creates a connection to your gmail and syncs everything to Microsoft Cloud and the old policies do not apply. I am also trying to find a way to disable this feature.
Just an FYI, I am just in the process of testing the OWA polices which seem to apply to both Outlook on the Web and "New Outlook".
I have setup a test OWA policy:
New-OwaMailboxPolicy TestOWAPolicy
Then I disabled personal accounts:
Set-OwaMailboxPolicy -PersonalAccountsEnabled -$false -identity TestOWAPolicy
Then I applied the policy to a test user:
Set-CASMailbox email address removed for privacy reasons -OwaMailboxPolicy TestOWAPolicy

Just waiting for the policy to kick-in.

Here is the link for reference:

https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-on-the-web/...
Hello Robert,
I appreciate your response. I am very curious if this worked for you. Can you update us on the results?
Sorry for the late response, this did not work for me but I believe this will be the setting to control this access. Trying to get clarification from Microsoft.
Hey. No reason to apologize. You're helping me out for free!

I am really hoping Microsoft has some clarity to offer. Hard to believe they unilaterally decided to allow personal email on all corporate networks without some kind of security controls for administrators.
We just started trialling new Outlook and noticed this too. Our Office policy explicitly blocks any non-Exchange accounts, which classic Outlook respects, but new Outlook ignores. Be good to hear from Microsoft on this, hopefully it's just an oversight.
We just had this reply from Microsoft support:

I checked with our escalations team, and the feature you are asking for, which is to prevent end users from adding their personal or third-party accounts is being developed. We do not have an exact ETA on when it will be rolled out, but it's a high priority item requested by other enterprise organizations, so hopefully soon.

In the meantime, the workaround to mitigate the security risks is to disable the new Outlook, either by hiding the toggle switch, restricting mailbox connections, or both.

Hope the provided information has addressed your concern,
Regards!
Here's a request I made on Microsoft's feedback portal to request that they add the capability to the new Outlook to prevent users from adding mailboxes outside the current company tenant. Please click and comment and upvote! https://feedbackportal.microsoft.com/feedback/idea/13a11c07-700f-ee11-a81c-000d3ae5b6f4

While we wait for Microsoft to provide a way to block 3rd party email from being added by end users, we were able to completely disable New Outlook following the steps in this article: 

https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-on-the-web/... 

 

We also deployed a registry change to end users with PowerShell to remove the button from Outlook. Run in user context because the key is HKCU

 

 

Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\office\16.0\Outlook\Options\General' -Name "HideNewOutlookToggle" -Value 1

 



Of equal concern is the datagrab of gmail info MS exerts by funneling all local account data through MS cloud. What on earth happened to the concept of a client?

I'll be switching my primary mail client to Thunderbird or similar, with no intention of putting every gmail account I have into the same bucket as my outlook data in the MS cloud.

@drogu-kangaroo 

Just an update, I performed the following test again and it did work:
Create a test owa policy using powershell:
New-OwaMailboxPolicy TestOWAPolicy
Then I disabled personal accounts:
Set-OwaMailboxPolicy -PersonalAccountsEnabled -$false -identity TestOWAPolicy
Then I applied the policy to a test user:
Set-CASMailbox <email address removed for privacy reasons> -OwaMailboxPolicy TestOWAPolicy

I then tried to add my personal mailbox to my outlook. It goes through the motions and just as it is about to sync, I get this:

RobertYoung_0-1694545097984.png

 

Robert, this is good news. I just wanted to confirm - is this true for the new Outlook desktop client?
This is for the new Outlook client. I am about to test it with a handful of users.
Guys is there a way to remove already added accounts on user's outlook profile? Ok we are blocking them from adding new, but how can i manage the already added ones?
Absolutely horrible but the policy setting -PersonalAccountsEnabled $false works.

Microsoft please...
Yogi777, did the setting -PersonalAccountsEnabled $false work for the NEW Outlook desktop client?