Blog Post

Security, Compliance, and Identity Blog
4 MIN READ

Bypass Blocking PDF Previews in OWA

Caroline_Lee's avatar
Caroline_Lee
Icon for Microsoft rankMicrosoft
Mar 12, 2021

By: Caroline_Lee 

 

Welcome to the Real Time Controls blog series! This series will focus on the Real Time Controls pillar in Microsoft Cloud App Security (MCAS) and how to work through some unique use cases, workarounds and pointers when configuring your policies.

 

For those of you who are unfamiliar with Real Time Controls in Cloud App Security, check out our documentation located here: Deploy Cloud App Security Conditional Access App Control for Azure AD apps | Microsoft Docs. In short, MCAS uses a reverse proxy to monitor user sessions and apply controls in real time (i.e. Block downloads to an unmanaged device). Keep in mind, you can only leverage this feature set for the web versions of applications, not thick clients (one of the most frequently asked questions). If you’re interested in a blog dedicated to how to protect that scenario, please like this post!

 

For the first blog, I wanted to share a use case that has been popping up over the last couple of months.

 

Use Case: Block downloads to unmanaged devices for ExchangeOnline.

 

Current Behavior: When a user accesses the Outlook Web Application (OWA) and tries to preview a PDF attachment, they are blocked by MCAS. This is because in some browsers the PDF needs to be downloaded on the backend in order to preview it.

 

Technically, MCAS is satisfying the use case as expected. It recognizes a download, so it blocks the action. Some customers have expressed that blocking the preview inhibits users from completing daily tasks. Good news! We have found a workaround for this exact scenario.

 

There is a PowerShell module specifically for Exchange Online that will allow users to preview PDF but remove the download functionality so data will remain protected even if accessed from an unmanaged device.

 

Here are the steps:

 

Note: The “OwaMailboxPolicy-Default” is the default OWA policy in EXO. It is possible customers have deployed additional or created a custom OWA policy with a different name. If customers have multiple OWA policies, they may have those applied to specific users. Therefore, those would also need to be updated to have complete coverage.

 

  1. Download the Exchange Online Powershell Module: PowerShell Gallery | ExchangeOnlineManagement 2.0.4
  2. After this the user will need to connect to the module (depending on the tenant here is the list of commands):
    1. Connect to Exchange Online PowerShell | Microsoft Docs
  3. Once the user has established connection to the exchange online Powershell, they will need to update two command lines
  4. Set-OwaMailboxPolicy (ExchangePowerShell) | Microsoft Docs:
    1. Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -DirectFileAccessOnPrivateComputersEnabled $false -DirectFileAccessOnPublicComputersEnabled $false
  5. After these parameters have been set, run a test on OWA with a PDF file & a session policy configured to block downloads. The “Download,” option should be removed from the dropdown and the user can preview the file.
  6. Before Powershell cmd:

 

After Powershell cmd:

 

 

Thanks for tuning in on the first post on Real Time Controls. Look out for these steps in the Troubleshooting guide (https://docs.microsoft.com/en-us/cloud-app-security/troubleshooting-proxy). If there are any scenarios you’re curious in seeing, please leave a comment below.

 

------- 

Feedback  

Let us know if you have any feedback or relevant use cases/requirements for this portion of Microsoft Cloud App Security by emailing CASFeedback@microsoft.com and mentioning the core area of concern. 

  

Learn more  

For further information on how your organization can benefit from Microsoft Cloud App Security, connect with us at the links below:  

 

Join the conversation on Tech Community.   

Stay up to date—subscribe to our blog.   

Upload a log file from your network firewall or enable logging via Microsoft Defender for Endpoint to discover Shadow IT in your network.  

Learn more—download Top 20 use cases for CASB.  

Connect your cloud apps to detect suspicious user activity and exposed sensitive data.  

Search documentation on Microsoft Cloud App Security.   

Enable out-of-the-box anomaly detection policies and start detecting cloud threats in your environment.  

Understand your licensing options .   

Continue with more advanced use cases across information protection, compliance, and more.  

Follow the Microsoft Cloud App Security Ninja blog and learn about Ninja Training.   

Go deeper with these interactive guides:  

·         Discover and manage cloud app usage with Microsoft Cloud App Security  

·         Protect and control information with Microsoft Cloud App Security  

·         Detect threats and manage alerts with Microsoft Cloud App Security  

·         Automate alerts management with Microsoft Power Automate and Cloud App Security   

  

To experience the benefits of full-featured CASB, sign up for a free trial—Microsoft Cloud App Security.  

  

Follow us on LinkedIn as #CloudAppSecurity. To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity on Twitter and Microsoft Security on LinkedIn for the latest news and updates on cybersecurity.  

Updated Nov 02, 2021
Version 6.0
  • Gil Blumberg's avatar
    Gil Blumberg
    Brass Contributor

    The ability to use real-time controls is really exciting frontier!

    We have not started using this yet, but great to know there is a workaround

     

    Thank you for posting 

  • Wiz's avatar
    Wiz
    Copper Contributor

    Hello,
    We tried the scenario to block download on non-Intune compliant device and get the same problem when previewing PDF.

    We tried the workaround using powershell to edit default parameter.

    Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -DirectFileAccessOnPrivateComputersEnabled $false -DirectFileAccessOnPublicComputersEnabled $false

     

    This doesn't really solve the problem but created a new problem. This powershell command effects all user, not only non-Intune compliant device.

     

    Now Intune compliant device cannot download attachment using OWA. I have to change back to previous settings using $true.

     

    Is this related to browser technology problem? any other fixing in roadmap?

    Thank you.

  • G3645's avatar
    G3645
    Copper Contributor

    As mentioned before, this "workaround" creates new issues.... is there a plan to resolve this issue within MDCA without having to implement a "workaround"?