Disabling OWA at the CASMailboxPlan level? Really?

Question

365 Online. Not a debate on whether good idea or not. It's a directive.

This is NOT ABOUT current active mailboxes. Already disabled using basic command - example.
Get-Mailbox -ResultSize Unlimited | Set-CASMailbox -OWAEnabled $False

It's moving forward, and after researching, etc. it appears this is not possible to disable OWA as a default for new mailboxes. Apparently there may be some method to create a script to run locally (on-prem) as Sched Task - though that may be local Exchange only - and frankly it is not pre-emptive and adds more complexity than should be required. Pre-amble over.

So while one can easily modify a CASMailboxplan for POP3 with a basic

set-casmailboxplan -identity ExchangeOnlineEnterprise -POPenable $False

(same for IMAP with appropriate Parameter), one can not do the same with

set-casmailboxplan -identity ExchangeOnlineEnterprise -OWAEnabled $False

as the following error is returned
set-CASMailboxPlan : A parameter cannot be found that matches parameter name 'OWAEnabled'
Despite fact that

Get-CasMailboxPlan -identity exchangeonlineenterprise| Format-List DisplayName,ActiveSyncEnabled,ImapEnabled,PopEnabled,OwaMailboxPolicy, OWAenabled

reflects the parameter.

So this leads to the OWAMailboxPolicy and reviewing for an appropriate setting/parameter to translate to OWAenabled T/F did not appear obvious (I assume the OWAenabled is dependent on a parameter within the OWAMailboxPolicy, because why else would OWAenabled not be parameter to edit (yet can do so at the MB level)? Anyone know?

I noticed about Conditional Access, but there are risks re lock out, and also reports that it just is a blanket over all web services - ie web based Teams, etc. and all we want is OWA. Maybe there is more granularity that I have not seen?

So I am assuming I am doing something incorrectly?, - Dan

Answer 1

Hello @Daniel Klobnak !

I understand you need to block Web Access to Exchange Online!

Conditional Access Policy is the best fit

Create a Policy with Cloud App set to Exchnage Online

Then you can select the User APP , so in this Case Web Client :

Also there is a link for your issue exaclty ( i think )

https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/secure-email-recommended-policies?view=o365-worldwide#limit-access-to-exchange-online-from-outlook-on-the-web&preserve-view=true

Limit access to Exchange Online from Outlook on the web

You can restrict the ability for users to download attachments from Outlook on the web on unmanaged devices. Users on these devices can view and edit these files using Office Online without leaking and storing the files on the device. You can also block users from seeing attachments on an unmanaged device.

Here are the steps:

Connect to Exchange Online PowerShell.

If you don't already have an OWA mailbox policy, create one with the New-OwaMailboxPolicy cmdlet.

1. If you want to allow viewing of attachments but no downloading, use this command:

PowerShellCopy

Set-OwaMailboxPolicy -Identity Default -ConditionalAccessPolicy ReadOnly

1. If you want to block attachments, use this command:

PowerShellCopy

Set-OwaMailboxPolicy -Identity Default -ConditionalAccessPolicy ReadOnlyPlusAttachmentsBlocked

In the Azure portal, create a new Conditional Access policy with these settings:

Assignments > Users and groups: Select appropriate users and groups to include and exclude.

Assignments > Cloud apps or actions > Cloud apps > Include > Select apps: Select Office 365 Exchange Online

Access controls > Session: Select Use app enforced restrictions

Let me know whether this covers you or you need more help !

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards