Restrict downloading attachments from OWA

Block downloading attachments from OWA

In this scenario

We will demonstrate how to block downloading files from Outlook on the web and only save them to OneDrive using -ConditionalAccessPolicy
PowerShell parameter with set-OwaMailboxPolicy

Applies to: online OneDrive and Sharepoint Online

The ConditionalAccessPolicy parameter specifies the Outlook on the Web Policy for limited access. For this feature to work properly, you also need to configure a Conditional Access policy in the Azure Active Directory Portal.

Note: When you enable a Conditional Access policy, users will no longer be able to access the light version of Outlook on the web. An error message will direct them to use the default premium experience.


  • Connect to PowerShell online management shell for exchange
  • Create new OWA mailbox policy
  • Crate a group for the required uses to block them from downloading
  • Create conditional access policy in azure
  • Creating Application enforced restrictions conditional access
  • Testing our policy from blocked user and unblocked user
  • Confirm it is working fine
  • Remove the policy
  • Reference for all the links and commands
The following is the message you wish to see for the end users

Your organization doesn’t allow you to download or print attachments from this device or browser.

You can still view attachments in your browser. For more information, contact your IT administrator.

Connect to PowerShell online management shell for exchange

Install-Module -Name ExchangeOnlineManagement
#Installing the PowerShell module
Update-Module -Name ExchangeOnlineManagement
#Update to the latest Version
# connect to exchange online
Get-OwaMailboxPolicy | Fl -Property ident*
Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -ConditionalAccessPolicy ReadOnly 
Get-OwaMailboxPolicy  | select-object ConditionalAccess*

First get the OWA mailbox policy and check it is name

Create new OWA mailbox policy

  • ReadOnly: Users can’t download attachments to their local computer and can’t enable Offline Mode on non-compliant computers. They can still view attachments in the browser.
  • ReadOnlyPlusAttachmentsBlocked: All restrictions from ReadOnly apply, but users can’t view attachments in the browser.

Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -ConditionalAccessPolicy ReadOnly

Then get the configuration

Get-OwaMailboxPolicy | select-object ConditionalAccess*

Optional you can crate group to apply conditional access to or just apply it to all users

Crate conditional access policy now and choose the group you want And choose office 365exhange online

Note: I have added sharepoint also cause I ll create the same restrictions for OneDrive in a later post

Use app enforced restriction


Now I sent to the user who isnt member of the blocked group in azure conditional access

He supposed to be able to download

Confirm it is working fine

Testing from user in a blocked group

This user isnt supposed to open attachments from OWA he is in the conditional access which prevent users

If you want to remove the policy

Remove-OwaMailboxPolicy -Identity name

Reference for all the links and commands

3 thoughts on “Restrict downloading attachments from OWA

Add yours

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at

Up ↑

%d bloggers like this: