Session controls in Conditional Access now also controlling Exchange Online

I have had and still have customers that want to restrict access via Outlook Web App (OWA) to Exchange Online. For instance, they want to block download of attachments when users access their mailbox via OWA. Until recently this could be done via the OWA Mailbox Policy in Exchange (Online), by setting the DirectFileAccessOnPublicComputersEnabled and DirectFileAccessOnPrivateComputersEnabled to False. Those settings would apply to all users that have this policy applied in Exchange. This week a colleague pointed out a new feature in Exchange Online.

What’s new in Exchange Online?

Since September this year the Exchange team added a new parameter that can be configured, ConditionalAccessPolicy. This parameter allows you to use the Session Control option in Azure AD Conditional Access to selectively, for instance only outside of the company OWA is available in readonly mode and “internally” or from a managed device people are able to download and edit attachments. The Session Control setting in Conditional Access is currently still undocumented by Microsoft, so hopefully this blog helps 😉

If you look at the OWA Mailbox Policy in PowerShell you see the two parameters

Use Get-OwaMailboxPolicy to review the parameters.

The ConditionalAccessPolicy parameter can be configured with the following valid values:

  • Off – No conditional access policy is applied to OWA. This is the default value for OWA.
  • ReadOnly Users accessing OWA cannot download email attachments to their local device and cannot enable Offline Mode on non-compliant devices. The Users can still view the attachments in the browser.
  • ReadOnlyPlusAttachmentsBlocked – All the restrictions from the ReadOnly setting apply, but the users also cannot view attachments in the browser.

Configuring the options can be done with the following PowerShell command:

Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -ConditionalAccessPolicy ReadOnly

After executing the command above, review the configuration again with Get-OwaMailboxPolicy

Azure AD Conditional Access

When creating a Conditional Access rule in Azure AD we now have the option to enable the Use app enforced restrictions now also for Exchange Online. Until recently this was only available for SharePoint Online.

By enabling this session control, the setting configured earlier in Exchange Online will be enforced, which allows us to selectively enable read only mode based on the user, device, location, compliance state of the device or risk level. An awesome addition if you ask me!

End User Experience

When enabling the ReadOnly mode for a user that is, in this case, not on a managed device and not in the office, the user will see a banner that states; Your organization doesn’t allow  you to download  print, or sync using this device. To perform these actions, use a device that’s joined to a domain. For help, contact your IT Department.

  1. Download option is disabled
  2. The user is informed that you can download, print or sync docs only on managed devices.
  3. You are able to Edit and attach the edited document to the reply of the email
  4. If you have a Sharepoint/Onedrive license you can save the document to OneDrive (Online) or just Preview the document.


If you have the requirement for a read only OWA and currently use the “old way” of protecting your company data, you should definitely look at this solution. If you ask me this  is the only way of really protecting your data when using OWA.



1 comment
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

RBAC in Azure AD, Intune and scope tags explained

Next Post

Deploying Citrix Receiver via native Win32 app support in Intune

Related Posts