Restrict access to email attachments and SharePoint files with Conditional Access

Today a blog post about Azure AD Conditional Access (CA) policies in combination with Exchange and SharePoint Online. I will show in this post how to restrict access to Exchange Online and SharePoint Online in the browser on unmanaged devices. Using these policies we prevent our users to download email attachments or SharePoint files on unmanaged devices.

Configuration for Exchange Online

For Exchange Online Outlook on the Web (OWA) we can restrict the option to download email attachments to the local device or even prevent the user from viewing the attachment in the browser.
To create a restricted user experience in OWA we need to use the Exchange PowerShell command Set-OwaMailboxPolicy to change the OWA mailbox policy. We need to change the parameter ConditionalAccessPolicy which is set to Off by default. The three options we have for this parameter are:

• Off: No conditional access policy is applied to Outlook on the web. This is the default value.
• ReadOnly: Users can’t download attachments to their local computer, and can’t enable Offline Mode on non-compliant computers. They can still view attachments in the browser.
• ReadOnlyPlusAttachmentsBlocked: All restrictions from ReadOnly apply, but users can’t view attachments in the browser.

Connect to Exchange Online using the Microsoft Exchange Online PowerShell Module.
When we run Get-OwaMailboxPolicy we can see the parameter ConditionalAcessPolicy is set to off.

When we use this PowerShell command we set the paramater to ReadOnly:
Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -ConditionalAccessPolicy ReadOnly

Now we need to switch to the Azure Portal and create an Azure AD Conditional Access policy to enforce this setting on unmanaged devices.
Create a new policy and give it a name.
Under Assignments we need to choose a security group to assign the policy to or choose All Users.
Under Cloud apps we need choose Office 365 Exchange Online.

Under Conditions, Device platforms we select All platforms.

On the Client apps tab we only select Browser.

On the Device state tab we select Device marked as compliant.

Now we move to the Access Control section, on the Session tab we select Use app enforced restrictions.
On the left side, we set Enable policy to On and we click on Create.

Keep in mind it can take some time before these settings are active in Exchange Online.

End-user experience

Let`s have a look at how the end-user experience is on an unmanaged device.
When we logon to Outlook on the web and open an email with an attachment, we are presented with a notification. The notification informs us about the restricted access to attachments until we change settings required by our organization.
When we select the attachment itself, we see the attachment can only be saved to OneDrive (not locally) or it can be viewed.

If we had set the parameter ConditionalAccessPolicy of the OWA Mailbox Policy to ReadOnlyPlusAttachmentsBlocked we couldn`t even view the attachment in the browser.

Configuration for SharePoint Online

For SharePoint Online (and OneDrive for Business) we can create a similar restricted user experience on unmanaged devices like we can with Exchange Online. With SharePoint Online we restrict access on unmanaged devices to the browser like we do with Exchange Online, but with Conditional Access policies we also prevent the synchronization of SharePoint files to the device.
This configuration is done from the SharePoint Admin Center. Open the admin center and browse to the Access control tab. Under Unmanaged Devices we need to select Allow limited, web-only access. This allows the user to access the SharePoint data from an unmanaged device, but prevents downloading and synchronizing the data to the local device.
When we set this option to limited access, we also block apps that don`t use modern authentication as you can see in the notification.

On the background two Conditional Access policies are created to enforce the restrictions. In this previous blog I discussed the settings of those policies in more detail.
Keep in mind it can take some time before these settings are active in SharePoint Online.

End-user experience

Let`s have a look again how the end-user experience is on an unmanaged device.
Open a SharePoint or OneDrive site in the browser. The first thing you probably see is the notification with information about the restrictions which are active. The options to download a file or sync the site are removed. But we are allowed to open the files in Office Online and also edit the files online.

This user experience is not limited to SharePoint Online and OneDrive for Business, but is also extended to Microsoft Teams as the Teams files are located in a SharePoint library. When we try to download a file from Teams we see an error like below.

Licenses

Azure AD Conditional Access policies are an Azure AD Premium feature. Users who are in scope of one of these CA polices need to have assigned an Azure AD Premium license. This license can be purchased as standalone license or as part of an Microsoft 365 or Enterprise Mobility + Security (EMS) license.
Microsoft Intune, which is used to manage the devices, can be purchased as standalone license or as part of EMS or Microsoft 365.