Bypass Blocking PDF Previews in OWA

Published 03-12-2021 09:00 AM 2,092 Views
Microsoft

By: @Caroline_Lee 

 

Welcome to the Real Time Controls blog series! This series will focus on the Real Time Controls pillar in Microsoft Cloud App Security (MCAS) and how to work through some unique use cases, workarounds and pointers when configuring your policies.

 

For those of you who are unfamiliar with Real Time Controls in Cloud App Security, check out our documentation located here: Deploy Cloud App Security Conditional Access App Control for Azure AD apps | Microsoft Docs. In short, MCAS uses a reverse proxy to monitor user sessions and apply controls in real time (i.e. Block downloads to an unmanaged device). Keep in mind, you can only leverage this feature set for the web versions of applications, not thick clients (one of the most frequently asked questions). If you’re interested in a blog dedicated to how to protect that scenario, please like this post!

 

For the first blog, I wanted to share a use case that has been popping up over the last couple of months.

 

Use Case: Block downloads to unmanaged devices for ExchangeOnline.

 

Current Behavior: When a user accesses the Outlook Web Application (OWA) and tries to preview a PDF attachment, they are blocked by MCAS. This is because in some browsers the PDF needs to be downloaded on the backend in order to preview it.

 

Technically, MCAS is satisfying the use case as expected. It recognizes a download, so it blocks the action. Some customers have expressed that blocking the preview inhibits users from completing daily tasks. Good news! We have found a workaround for this exact scenario.

 

There is a PowerShell module specifically for Exchange Online that will allow users to preview PDF but remove the download functionality so data will remain protected even if accessed from an unmanaged device.

 

Here are the steps:

 

Note: The “OwaMailboxPolicy-Default” is the default OWA policy in EXO. It is possible customers have deployed additional or created a custom OWA policy with a different name. If customers have multiple OWA policies, they may have those applied to specific users. Therefore, those would also need to be updated to have complete coverage.

 

  1. Download the Exchange Online Powershell Module: PowerShell Gallery | ExchangeOnlineManagement 2.0.4
  2. After this the user will need to connect to the module (depending on the tenant here is the list of commands):
    1. Connect to Exchange Online PowerShell | Microsoft Docs
  3. Once the user has established connection to the exchange online Powershell, they will need to update two command lines
  4. Set-OwaMailboxPolicy (ExchangePowerShell) | Microsoft Docs:
    1. Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -DirectFileAccessOnPrivateComputersEnabled $false -DirectFileAccessOnPublicComputersEnabled $false
  5. After these parameters have been set, run a test on OWA with a PDF file & a session policy configured to block downloads. The “Download,” option should be removed from the dropdown and the user can preview the file.
  6. Before Powershell cmd:

Caroline_Lee_0-1615812660625.jpeg

 

After Powershell cmd:

Caroline_Lee_1-1615234015842.png

 

 

Thanks for tuning in on the first post on Real Time Controls. Look out for these steps in the Troubleshooting guide (https://docs.microsoft.com/en-us/cloud-app-security/troubleshooting-proxy). If there are any scenarios you’re curious in seeing, please leave a comment below.

 

------- 

Feedback  

Let us know if you have any feedback or relevant use cases/requirements for this portion of Microsoft Cloud App Security by emailing CASFeedback@microsoft.com and mentioning the core area of concern. 

  

Learn more  

For further information on how your organization can benefit from Microsoft Cloud App Security, connect with us at the links below:  

 

Join the conversation on Tech Community.   

Stay up to date—subscribe to our blog.   

Upload a log file from your network firewall or enable logging via Microsoft Defender for Endpoint to discover Shadow IT in your network.  

Learn more—download Top 20 use cases for CASB.  

Connect your cloud apps to detect suspicious user activity and exposed sensitive data.  

Search documentation on Microsoft Cloud App Security.   

Enable out-of-the-box anomaly detection policies and start detecting cloud threats in your environment.  

Understand your licensing options .   

Continue with more advanced use cases across information protection, compliance, and more.  

Follow the Microsoft Cloud App Security Ninja blog and learn about Ninja Training.   

Go deeper with these interactive guides:  

·         Discover and manage cloud app usage with Microsoft Cloud App Security  

·         Protect and control information with Microsoft Cloud App Security  

·         Detect threats and manage alerts with Microsoft Cloud App Security  

·         Automate alerts management with Microsoft Power Automate and Cloud App Security   

  

To experience the benefits of full-featured CASB, sign up for a free trial—Microsoft Cloud App Security.  

  

Follow us on LinkedIn as #CloudAppSecurity. To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity on Twitter and Microsoft Security on LinkedIn for the latest news and updates on cybersecurity.  

3 Comments
New Contributor

The screenshots appear to be inaccurate.

New Contributor

The ability to use real-time controls is really exciting frontier!

We have not started using this yet, but great to know there is a workaround

 

Thank you for posting 

Microsoft

@skaggejFMI Good catch! I've updated the blog, just waiting for changes to be published. Thank you!

Co-Authors
Version history
Last update:
‎Mar 15 2021 05:51 AM
Updated by: