Read Only And Attachment Download Restrictions in Exchange Online


Microsoft have released a tiny update to Exchange Online that has massive implications. I say tiny in that it take like 30 seconds to implement this (ok, may 60 seconds then).

When this is enabled, and below I will describe a simple configuration for this, your users when using Outlook Web Access on a computer that is not compliant with a conditional access rule in Azure AD, will result in OWA that is read only – attachments can be viewed in the browser only and not downloaded. There is even a mode to have attachments completely blocked.

So how to do this.

Step 1: Enable the OwaMailboxPolicy New Setting

Only users whose OWAMailboxPolicy have the ConditionalAccessPolicy set to ReadOnly or ReadOnlyPlusAttachmentsBlocked are impacted by this feature and only when the Conditional Access policy so restricts their session. For example if you wanted a subset of users to always have this restriction regardless, but not other users then you would create a new OwaMailboxPolicy and set the ConditionalAccessPolicy setting. Once that is done you would apply the policy to the selected users, but if you wanted this restriction to apply to all users, but only when they are on a personal (not-compliant or trusted), then you would apply the OWA policy to all users and the conditional access policy to All Users as well.

In my example I am just going to update the default policy, becuase I want read only view for all users who fall out of the conditions of the policy. So in Exchange Online PowerShell I run the following:

Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -ConditionalAccessPolicy ReadOnly

This, once the conditional access policy takes effect will restrict downloads in OWA. The second option is to use ReadOnlyPlusAttachmentsBlocked instead of ReadOnly. This blocks attachment viewing as well. The value “Off” turns off the restrictions again. “Off” is the default value.

Step 2: Create a Conditional Access Policy in Azure AD

You need an Azure AD Premium P1 licence for this feature.

Here I created a policy that applied to one user and no other policy settings. This would mean this user is always in ReadOnly mode. In real world scenarios you would more likely create a policy that applied to a group or All Users and excluding network ranges or compliant devices and not individual users and forced ReadOnly only when other conditions such as non-compliant device (i.e. home computer) where in use.

The steps for this are:

imageimageimageimage

The pictures, as you cannot create the policies in the cmdline, are as follows:

a) New policy with a name. Here it is “Limited View for ZacharyP”

b) Under “Users and Groups” I selected my one test user. Here you are more likely to pick the users for whom data leakage is an issue

c) Under “Cloud apps” select Office 365 Exchange Online. I have also selected SharePoint, as the same idea exists in that service as well

d) Under Session, and this is the important one, select “Use app enforced restrictions”. For Exchange Online, app enforced restrictions is the value of ConditionalAccessPolicy for the given user.

Step 3: View the results

Ensure the user is licenced to have a mailbox and Azure AD Premium P1 and ensure they have an email with an attachment in it for testing.

In the screenshot you can see circled where the Download link is normally found:

image

And where the attachment is clicked, there is now a greyed out Download button and a banner is seen in both views telling the user of their limited access.

image

The user interface to OWA (in 2018) looks as follows:

image

With ReadOnlyPlusAttachmentsBlocked set as the ConditionalAccessPolicy value, the attachment cannot be viewed. This is what this looks like (new OWA UI):

image

And SharePoint and OneDrive, just because it is very similar!

This is outlined in https://c7solutions.com/2019/04/read-only-and-document-download-restrictions-in-sharepoint-online


by

Tags:

Comments

8 responses to “Read Only And Attachment Download Restrictions in Exchange Online”

  1. Greg avatar
    Greg

    Hello Brain,

    Thanks for this article. I tried Creating a new policy to use instead of the using the default owamailboxpolicy in my test tenant but did not work with my CA policy.

    New-OwaMailboxPolicy -Name “Restricted Download Access”
    Set-OwaMailboxPolicy -Identity “Restricted Download Access” -ConditionalAccessPolicy ReadOnly

    But when I updated the default owamailboxpolicy, it worked.
    Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -ConditionalAccessPolicy ReadOnly

    Any reason why the new owamailboxpolicy didn’t work with my Conditional access policy in Azure and the existing default owamailboxpolicy does worked? Why is this the case.?

    1. Brian Reid avatar

      Jut checking, but when you made the new policy – you did apply that to the users who the Conditional Access rule applied to as well? By default the “Default” policy applies to all users – if you have the “default” policy applying to your users but the OWA/Read Only change is in a different policy, then the Conditional Access rule will not work because the policy on the actual user is not changed.

  2. Greg avatar
    Greg

    Jut checking, but when you made the new policy – you did apply that to the users who the Conditional Access rule applied to as well? Yes I did.

    1. Greg avatar
      Greg

      Just checking, but when you made the new policy – you did apply that to the users who the Conditional Access rule applied to as well? Yes I did apply to a group of users and not everyone using the new owamailboxpolicy I created. So how do I make it to work with the newowapolicy I created because I don’t want to touch the default owa policy.

  3. Greg avatar
    Greg

    I saw this article and applied Set-Cas to make it work with a newly created owamailboxpolicy

    https://petri.com/conditional-access-blocks-office-365-downloads/

    New-OwaMailboxPolicy -Name “Restricted Download Access”
    Set-OwaMailboxPolicy -Identity “Restricted Download Access” -ConditionalAccessPolicy ReadOnly
    The Set-CASMailbox cmdlet assigns the policy for a mailbox. For example:

    Set-CASMailbox -Identity “Sanjay” -OwaMailboxPolicy “Restricted Download Access”

    1. Brian Reid avatar

      So I have only ever done this with the Default OWA mailbox policy. If the user is not in scope for the Conditional Access rule then nothing happens. All the policy does is to say what happens when the CA rule is triggered. So set Default policy to “ReadOnly” and then pilot the change with a CA rule that is targeted to a few users. Only these users get the CA rule and only these users get OWA in ReadOnly mode (if the rule passes). If a user is not covered by the CA rule (or it fails) then the user gets standard OWA irrespective of what the ConditionalAccessPolicy setting reads as

  4. GRE avatar
    GRE

    Hello Brain,

    Will adding coverage for any device and allowing modern authentication clients of browser type to the ‘Read-Only and Attachment Download Restrictions in Exchange Online’ policy cause any issues? Specifically, will these restrictions continue to function as intended?

    1. Brian Reid avatar

      If the application is a browser, it will render OWA and the attachments will be blocked. If you have an application that is not a browser, but is telling Exchange Online that it is, then it will get the HTML rendered to block downloads.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.