CYBERDOM

Just another day of IR, Threat-Hunting & Microsoft Security

Control OWA and Cloud Storage

by · April 24, 2019

With the dynamic update and the continuous release model used in Office 365, it can be challenging to keep up with all changes that Microsoft pushes.

Even though we still get a big release such as Office product or the new OWA experience, it’s common for features that can have a great impact on productivity or security to be released with just a brief mention in the patch notes or a blog post.

InfoSec people often have issues with the “accessible from anywhere, at any time”, nature of Office 365 and being able to impose different restrictions based, the network location of the user or the device they are using is a common request.

Exchange Online follows suit by becoming the second “cloud application” that supports the Conditional Access session restriction control.

The feature, referred to as Limited access for OWA, allows you to control how users work with attachments in both the new and old OWA experiences.

Post Contents Show

OWA Access

Those who browse the deep corners of Microsoft documentation often find unannounced information and cool features, such is the case of Set-OWAMailboxPolicy, where the ThirdPartyFileProvidersEnabled setting is documented.

The ThirdPartyFileProvidersEnabled setting controls attachments from third-party services, such as Box, DropBox and so on. The default value is False.

  • $true: Third-party attachments are enabled in Outlook on the web. Users can connect their third-party file sharing accounts and share files over email.
  • $false: Third-party attachments are disabled in Outlook on the web. Users can’t connect their third-party file sharing accounts or share files over email. This is the default value.

Note: This parameter is available only in the cloud-based service

The ThirdPartyFileProvidersEnabled value is false.

The user behavior is pretty simple and not allow to add any files from OWA and third-party cloud storage.

We can also play with PowerShell for Exchange Online and check what OWA mailbox policies allow access to third-party file providers and which users configure with this policy

Get-Mailbox -RecipientTypeDetails UserMailbox | Get-CasMailbox |? {$_.OWAMailboxPolicy -ne “ThirdPartyFileProvidersEnabled”} | ft DisplayName, OwaMailboxPolicy, OWAEnabled -AutoSize

Note: We can use the Get-Mailbox to receive a filtered list of user mailboxes to Get-CasMailbox, check what OWA mailbox policy applies to each, and output a list of names.

Tags:

You may also like...

Leave a Reply

error: Content is Protected !!
%d bloggers like this: