Block any email clients on Windows except Outlook Web
Greetings, I'm opening this discussion to speak about how to block access to Exchange Online from any email client (Outlook, Windows 10 Mail, new Outlook for Windows, third-party client) on Windows devices (either Intune-unmanaged, Intune-managed, Microsoft Entra joined, Microsoft Entra registered, Microsoft Entra hybrid joined). Outlook web is only allowed. TEST 1 My initial attempt, as mentioned in this post how to block the Outlook desktop app while allow them use the Outlook On the Web (OWA), was to block access through a Conditional Access policy. Target resources: Office 365 Exchange Online Conditions > Device platforms: Windows Phone, Windows, Linux Conditions > Client apps: Mobile apps and desktop clients, Exchange ActiveSync clients, Other clients Grant: Block access Results: I realized it isn't applicable because even if it meets the goal, however it is also blocking applications like Microsoft Teams. TEST 2 I modified the CA policy by allowing access from compliant devices or hybrid joined: Target resources: Office 365, Office 365 Exchange Online and Office 365 SharePoint Online Conditions > Device platforms: Windows Phone, Windows, Linux Conditions > Client apps: Mobile apps and desktop clients, Exchange ActiveSync clients, Other clients Grant: Grant access to Require device to be marked as compliant, Require Microsoft Entra hybrid joined device (Require one of the selected controls) Results: In this way, I can force clients to be compliant (Intune-managed) or hybrid joined, at least; however, I cannot control access from email clients (consider, for example, a scenario in which end-users have Outlook installed for opening file in MSG or EML format). TEST 3 The only way I found to achieve the goal was to take action on Exchange Online, by manipulating these properties for each mailbox via PowerShell (Set-CASMailbox) : MAPIEnabled = false (block Outlook) UniversalOutlookEnabled = false (block Windows Mail app) OneWinNativeOutlookEnabled = false (block new Windows Mail app) It seems even if blocked (2), however I can still configure and access to mailbox via Windows Mail. I also realized (Welcome Sir !!! 🙂) even if the above properties appear at Plan level (Get-CASMailboxPlan), however it isn't possible to set them (Set-CASMailboxPlan); but it is possible to disable, for example, IMAP and POP (?), This solution assumes running a PowerShell script for setting these properties on new mailbox creation. Any other suggestion ?
