Limited Access to Exchange Online with Azure AD Conditional
Conditional access provides the control and protection businesses need to keep their corporate data secure while giving their people an experience that allows them to do their best work from any device.
These policies will restrict users’ ability to download attachments from email to a local machine when the devices are not compliant. With the Office Web Apps’ power, users can continue to view and edit these files safely, without leaking data to a personal machine.
If you instead want to block attachments fully (when on a non-compliant device), we also support that!
You may already know that you can implement a ‘limited access’ conditional access for SharePoint Online and OneDrive for Business, allowing users to access SharePoint Online but not authorizing to download anything while accessing using non-compliant devices.
Now, Exchange Online allows your users to access their mailbox using Outlook on the Web while the device they are using is identified as non-compliant.
To deploy limited access to conditional access, you need the following actions:
- Connect to Exchange Online with PowerShell to enable the limited access capability with the following PowerShell command:
- Then create or edit an Outlook Web Access policy with the following PowerShell command:
Set-OwaMailboxPolicy –Identity PolicyName -ConditionalAccessPolicy ReadOnly
- Then connect to your Azure AD portal and configure the conditional access for Exchange Online by accessing the Conditional Access configuration for your Azure AD.
Create a new or edit existing conditional access policy
Configure the conditional access policy as below:
- Users and groups: define to which users or groups configure with the limitation.
- Cloud Apps: select Office 365 Exchange Online.
- Other configuration options depend on your requirements.
- Session: enable the option Use app enforced restrictions.
Next, choose ok and finish your policy and wait for the policy will apply to your users.
Note: Next time your user will log in to OWA using a non-compliant device, they will have limited access enabled, which will block files download and disable offline access.