cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

New Outlook opens security hole

drogu-kangaroo
Copper Contributor

‎May 22 2023 03:11 PM

‎May 22 2023 03:11 PM

New Outlook opens security hole

Hello,

We just tested the New Outlook and discovered that it allows users to add personal Gmail accounts to their Outlook profile. We have intentionally blocked 3rd party email services to prevent data loss. We don't ever want an end user to be able to send out confidential corporate information with their personal email account. Is there no way to disable this 'feature' for our tenant? You are now effectively bypassing all the data loss prevention security we have put in place around email, including explicit blocks for Gmail and Yahoo on our firewall. 

12.7K Views
3 Likes
24 Replies
Reply
24 Replies
drogu-kangaroo

‎May 23 2023 03:32 PM

‎May 23 2023 03:32 PM

Re: New Outlook opens security hole

66 views but no replies. Am I in the correct forum for asking this question? 
Any suggestions from anyone on where I can post this question and get Microsoft's attention? This is a pretty serious security concern. Just because you can allow users to add personal email accounts to Outlook doesn't mean all business are OK with that. We need to be able to choose. 

0 Likes
Reply
Victor Ivanidze

‎May 23 2023 11:51 PM

‎May 23 2023 11:51 PM

Re: New Outlook opens security hole

Hello,
but the old Outlook also allows users to add personal Gmail accounts to their Outlook profile, isn't it?
0 Likes
Reply
Robert Young

‎May 24 2023 06:07 AM

‎May 24 2023 06:07 AM

Re: New Outlook opens security hole

The old outlook allows you to block via policy. The new outlook creates a connection to your gmail and syncs everything to Microsoft Cloud and the old policies do not apply. I am also trying to find a way to disable this feature.
1 Like
Reply
Robert Young

‎May 24 2023 09:58 AM

‎May 24 2023 09:58 AM

Re: New Outlook opens security hole

Just an FYI, I am just in the process of testing the OWA polices which seem to apply to both Outlook on the Web and "New Outlook".
I have setup a test OWA policy:
New-OwaMailboxPolicy TestOWAPolicy
Then I disabled personal accounts:
Set-OwaMailboxPolicy -PersonalAccountsEnabled -$false -identity TestOWAPolicy
Then I applied the policy to a test user:
Set-CASMailbox email address removed for privacy reasons -OwaMailboxPolicy TestOWAPolicy

Just waiting for the policy to kick-in.

Here is the link for reference:

https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-on-the-web/...
2 Likes
Reply
drogu-kangaroo

‎May 29 2023 01:40 PM

‎May 29 2023 01:40 PM

Re: New Outlook opens security hole

Hello Robert,
I appreciate your response. I am very curious if this worked for you. Can you update us on the results?
0 Likes
Reply
Robert Young

‎May 29 2023 02:37 PM

‎May 29 2023 02:37 PM

Re: New Outlook opens security hole

Sorry for the late response, this did not work for me but I believe this will be the setting to control this access. Trying to get clarification from Microsoft.
0 Likes
Reply
drogu-kangaroo

‎May 29 2023 05:26 PM

‎May 29 2023 05:26 PM

Re: New Outlook opens security hole

Hey. No reason to apologize. You're helping me out for free!

I am really hoping Microsoft has some clarity to offer. Hard to believe they unilaterally decided to allow personal email on all corporate networks without some kind of security controls for administrators.
0 Likes
Reply
HeyHey16K

‎Jun 16 2023 01:56 AM

‎Jun 16 2023 01:56 AM

Re: New Outlook opens security hole

We just started trialling new Outlook and noticed this too. Our Office policy explicitly blocks any non-Exchange accounts, which classic Outlook respects, but new Outlook ignores. Be good to hear from Microsoft on this, hopefully it's just an oversight.
0 Likes
Reply
HeyHey16K

‎Jun 16 2023 06:43 AM

‎Jun 16 2023 06:43 AM

Re: New Outlook opens security hole

We just had this reply from Microsoft support:

I checked with our escalations team, and the feature you are asking for, which is to prevent end users from adding their personal or third-party accounts is being developed. We do not have an exact ETA on when it will be rolled out, but it's a high priority item requested by other enterprise organizations, so hopefully soon.

In the meantime, the workaround to mitigate the security risks is to disable the new Outlook, either by hiding the toggle switch, restricting mailbox connections, or both.

Hope the provided information has addressed your concern,
Regards!
0 Likes
Reply
TandyWine

‎Jun 20 2023 06:44 AM

‎Jun 20 2023 06:44 AM

Re: New Outlook opens security hole

Here's a request I made on Microsoft's feedback portal to request that they add the capability to the new Outlook to prevent users from adding mailboxes outside the current company tenant. Please click and comment and upvote! https://feedbackportal.microsoft.com/feedback/idea/13a11c07-700f-ee11-a81c-000d3ae5b6f4
0 Likes
Reply
drogu-kangaroo

‎Jun 30 2023 10:49 AM

‎Jun 30 2023 10:49 AM

Re: New Outlook opens security hole

While we wait for Microsoft to provide a way to block 3rd party email from being added by end users, we were able to completely disable New Outlook following the steps in this article: 

https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-on-the-web/... 

 

We also deployed a registry change to end users with PowerShell to remove the button from Outlook. Run in user context because the key is HKCU

 

 

Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\office\16.0\Outlook\Options\General' -Name "HideNewOutlookToggle" -Value 1

 



0 Likes
Reply
Simon725

‎Sep 11 2023 01:56 PM

‎Sep 11 2023 01:56 PM

Re: New Outlook opens security hole

Of equal concern is the datagrab of gmail info MS exerts by funneling all local account data through MS cloud. What on earth happened to the concept of a client?

I'll be switching my primary mail client to Thunderbird or similar, with no intention of putting every gmail account I have into the same bucket as my outlook data in the MS cloud.
0 Likes
Reply
Robert Young

‎Sep 12 2023 11:58 AM

‎Sep 12 2023 11:58 AM

Re: New Outlook opens security hole

@drogu-kangaroo 

Just an update, I performed the following test again and it did work:
Create a test owa policy using powershell:
New-OwaMailboxPolicy TestOWAPolicy
Then I disabled personal accounts:
Set-OwaMailboxPolicy -PersonalAccountsEnabled -$false -identity TestOWAPolicy
Then I applied the policy to a test user:
Set-CASMailbox <email address removed for privacy reasons> -OwaMailboxPolicy TestOWAPolicy

I then tried to add my personal mailbox to my outlook. It goes through the motions and just as it is about to sync, I get this:

RobertYoung_0-1694545097984.png

 

4 Likes
Reply
TandyWine

‎Sep 12 2023 12:15 PM

‎Sep 12 2023 12:15 PM

Re: New Outlook opens security hole

Robert, this is good news. I just wanted to confirm - is this true for the new Outlook desktop client?
0 Likes
Reply
Robert Young

‎Sep 12 2023 02:08 PM

‎Sep 12 2023 02:08 PM

Re: New Outlook opens security hole

This is for the new Outlook client. I am about to test it with a handful of users.
0 Likes
Reply
Kostas1978

‎Sep 15 2023 12:47 AM

‎Sep 15 2023 12:47 AM

Re: New Outlook opens security hole

Guys is there a way to remove already added accounts on user's outlook profile? Ok we are blocking them from adding new, but how can i manage the already added ones?
0 Likes
Reply
Yogi777

‎Sep 24 2023 11:35 PM

‎Sep 24 2023 11:35 PM

Re: New Outlook opens security hole

Absolutely horrible but the policy setting -PersonalAccountsEnabled $false works.

Microsoft please...
0 Likes
Reply
TandyWine

‎Sep 25 2023 06:09 AM

‎Sep 25 2023 06:09 AM

Re: New Outlook opens security hole

Yogi777, did the setting -PersonalAccountsEnabled $false work for the NEW Outlook desktop client?
0 Likes
Reply
Yogi777

‎Sep 25 2023 06:18 AM

‎Sep 25 2023 06:18 AM

Re: New Outlook opens security hole

@TandyWine

 

Yes

0 Likes
Reply