Karim Zaki

Restrict downloading attachments from OWA


Block downloading attachments from OWA

In this scenario

We will demonstrate how to block downloading files from Outlook on the web and only save them to OneDrive using -ConditionalAccessPolicy
PowerShell parameter with set-OwaMailboxPolicy

Applies to: online OneDrive and Sharepoint Online

The ConditionalAccessPolicy parameter specifies the Outlook on the Web Policy for limited access. For this feature to work properly, you also need to configure a Conditional Access policy in the Azure Active Directory Portal.

Note: When you enable a Conditional Access policy, users will no longer be able to access the light version of Outlook on the web. An error message will direct them to use the default premium experience.

Steps

  • Connect to PowerShell online management shell for exchange
  • Create new OWA mailbox policy
  • Crate a group for the required uses to block them from downloading
  • Create conditional access policy in azure
  • Creating Application enforced restrictions conditional access
  • Testing our policy from blocked user and unblocked user
  • Confirm it is working fine
  • Remove the policy
  • Reference for all the links and commands
The following is the message you wish to see for the end users

Your organization doesn’t allow you to download or print attachments from this device or browser.

You can still view attachments in your browser. For more information, contact your IT administrator.


Connect to PowerShell online management shell for exchange

Install-Module -Name ExchangeOnlineManagement
#Installing the PowerShell module
Update-Module -Name ExchangeOnlineManagement
#Update to the latest Version
Connect-ExchangeOnline
# connect to exchange online
Get-OwaMailboxPolicy | Fl -Property ident*
Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -ConditionalAccessPolicy ReadOnly 
Get-OwaMailboxPolicy  | select-object ConditionalAccess*

First get the OWA mailbox policy and check it is name

Create new OWA mailbox policy

  • ReadOnly: Users can’t download attachments to their local computer and can’t enable Offline Mode on non-compliant computers. They can still view attachments in the browser.
  • ReadOnlyPlusAttachmentsBlocked: All restrictions from ReadOnly apply, but users can’t view attachments in the browser.

Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -ConditionalAccessPolicy ReadOnly

Then get the configuration

Get-OwaMailboxPolicy | select-object ConditionalAccess*

Optional you can crate group to apply conditional access to or just apply it to all users

Crate conditional access policy now and choose the group you want And choose office 365exhange online

Note: I have added sharepoint also cause I ll create the same restrictions for OneDrive in a later post

Use app enforced restriction

Testing

Now I sent to the user who isnt member of the blocked group in azure conditional access

He supposed to be able to download

Confirm it is working fine

Testing from user in a blocked group

This user isnt supposed to open attachments from OWA he is in the conditional access which prevent users


If you want to remove the policy

Remove-OwaMailboxPolicy -Identity name

Reference for all the links and commands

Unknown's avatar

Published by Karim Zaki

• MBA Major MIS • MCP (Microsoft Certified Professional) Windows XP. • Microsoft Certified in (Managing and Maintaining Microsoft server 2003). • Microsoft Certified in (implementing, Managing, and maintaining a Microsoft windows server 2003 infrastructure) • Microsoft Certified in (Maintaining a MS Win Server 2003 Active Directory) • MCSA 2003 • ISA 2006 Microsoft Internet Security and Acceleration Server 2006, Configuring • MCTS Microsoft Certified Technology specialist • MCITP 2008 (Microsoft Certified IT professional) • MCSA 2012 Server (Microsoft Certified solution Associate) • AZURE Administrator Associate (AZ-103) • MS 365 Identities and services (MS-100) • MS 365 Mobility and security (MS-101) • Microsoft 365 Certified: Security Administrator Associate (MS-203) • Microsoft 365 certified enterprise administrator expert (MS-500) • Messaging Administrator Associate (MS-203) • Azure Security Engineer Associate (AZ-500) • Information Security: Context and Introduction • Microsoft Security Operations Analyst

10 comments

  3. Hello,

    Thank you for the post, it was very usefull, it is stoping to download from OWA, but still can download copy and safe as from sharepoint, how to block that too.

    you mentioned that you would post it.

    Liked by 1 person

    Reply

  5. It is working in OWA, but when open a document in SharePoint web apps, still can download copy of the document. how to prevent that too.

    thank you,

    Liked by 1 person

    Reply

  6. Thank you for the response,

    I have added the Office365 SharePoint Online to apps for actions. and selected for the Session:

    Use App Enforced Restrictions and Use Conditional Access App Control (Block Downloads (Preview)), but still when opening a file in Sharepoint online it give me the option to download a copy.

    in your post you had mentioned that you will do the article for SharePoint restriction too, I am not sure if you have done that or not.

    thank you,

    Like

    Reply

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.