Get-PublicFolder -Identity "Support" -Recurse -ResultSize Unlimited The below command returns the specific folder “Support” and all the sub-folders located under this folder. Get-PublicFolder -Recurse -ResultSize Unlimited Run the below command to list all the public folders in your organization. $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $365Logon -Authentication Basic -AllowRedirection With ReadOnlyPlusAttachmentsBlocked set as the ConditionalAccessPolicy value, the attachment cannot be viewed.You can get a list of all public folders with the Exchange powershell cmdlet Get-PublicFolder and you can easily extract the permissions applied to the public folder by using the Get-PublicFolderClientPermission cmdlet.īefore proceed run the below commands to connect Exchange Online (EXO) powershell. The new user interface to OWA looks as follows: In the screenshot you can see circled where the Download link is normally found:Īnd where the attachment is clicked, there is now a greyed out Download button and a banner is seen in both views telling the user of their limited access. For Exchange Online, app enforced restrictions is the value of ConditionalAccessPolicy for the given user.Įnsure the user is licenced to have a mailbox and Azure AD Premium P1 and ensure they have an email with an attachment in it for testing. I have also selected SharePoint, as the same idea exists in that service as wellĭ) Under Session, and this is the important one, select “Use app enforced restrictions”. Here you are more likely to pick the users for whom data leakage is an issueĬ) Under “Cloud apps” select Office 365 Exchange Online. Here it is “Limited View for ZacharyP”ī) Under “Users and Groups” I selected my one test user. The pictures, as you cannot create the policies in the cmdline, are as follows:Ī) New policy with a name. In real world scenarios you would more likely create a policy that applied to a group or All Users and excluding network ranges or compliant devices and not individual users and forced ReadOnly only when other conditions such as non-compliant device (i.e. This would mean this user is always in ReadOnly mode. Here I created a policy that applied to one user and no other policy settings. You need an Azure AD Premium P1 licence for this feature. Step 2: Create a Conditional Access Policy in Azure AD The value “Off” turns off the restrictions again. The second option is to use ReadOnlyPlusAttachmentsBlocked instead of ReadOnly. This, once the conditional access policy takes effect will restrict downloads in OWA. Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -ConditionalAccessPolicy ReadOnly So in Exchange Online PowerShell I run the following:
In my example I am just going to update the default policy, becuase I want read only view for all users who fall out of the conditions of the policy. Once that is done you would apply the policy to the selected users, but if you wanted this restriction to apply to all users, but only when they are on a personal (not-compliant or trusted), then you would apply the OWA policy to all users and the conditional access policy to All Users as well. For example if you wanted a subset of users to always have this restriction regardless, but not other users then you would create a new OwaMailboxPolicy and set the ConditionalAccessPolicy setting. Only users whose OWAMailboxPolicy have the ConditionalAccessPolicy set to ReadOnly or ReadOnlyPlusAttachmentsBlocked are impacted by this feature and only when the Conditional Access policy so restricts their session. Step 1: Enable the OwaMailboxPolicy New Setting There is even a mode to have attachments completely blocked. When this is enabled, and below I will describe a simple configuration for this, your users when using Outlook Web Access on a computer that is not compliant with a conditional access rule in Azure AD, will result in OWA that is read only – attachments can be viewed in the browser only and not downloaded.
I say tiny in that it take like 30 seconds to implement this (ok, may 60 seconds then).
Microsoft have released a tiny update to Exchange Online that has massive implications.