Outlook Web App policies

Question

Hi All,

I have been asked to implement the following changes and would appreciate guidance on the potential concerns and benefits of enabling these policies. For context, we are using Okta as our SSO and MFA provider, and we have an Exchange hybrid environment. we create users in onprem and migrate to exchange online. Users are licensed with Microsoft 365 E5.

1. OWA Mobile Device Contact Sync (Default Policy)

Path: Exchange Admin Center → Roles → Outlook Web App policies → Select the Default Policy → Manage features (sidebar) → Uncheck “Mobile device contact sync”

2. OWA File Access (Default Policy)

Path: Exchange Admin Center → Roles → Outlook Web App policies → Select the Default Policy → Manage access (sidebar) → Uncheck “Let users open files attached to email messages when using a public or shared computer”

3. OWA Offline Access (Default Policy)

Path: Exchange Admin Center → Roles → Outlook Web App policies → Select the Default Policy → Manage access (sidebar) → Set “Offline access” to “Never”

Could someone please share insights on the security impact versus user experience trade-offs of these changes, especially in a hybrid setup with Okta as the identity provider?

Answer 1

Hi @Glenn Maxwell   

Based on my research, I recommend reviewing the Q&A Assist response, as it already addresses most of your questions regarding the three policies. Okta does not affect these policies, since it functions only as an SSO and identity provider and does not control Outlook Web App mailbox policy behavior. 

It is also worth noting that these three policies apply not only to Outlook on the web but also take effect in the New Outlook desktop application. 

If you would like to explore the behavior further, you may consider testing these Outlook Web App mailbox policies by creating a new policy separate from the default one and assigning it to a specific user. This can be done through the Exchange Admin Center  > Mailboxes >  Selecting the target mailbox > Manage email apps settings > Outlook web app mailbox policy 

 

The same assignment can also be performed using the PowerShell command below: 

Set-CasMailbox -Identity <MailboxIdentity> -OwaMailboxPolicy "<Policy Name>" 

Reference: Apply or remove mailbox policy on a mailbox in Exchange Online | Microsoft Learn 

I hope this adds helpful insight alongside the Q&A Assist response. Please feel free to share any updates or follow‑up questions. 

---

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Below is a breakdown of each change, focusing on security vs. user experience. The fact that Okta is the IdP and MFA provider, and that the environment is hybrid, does not materially change the behavior of these specific OWA mailbox policy settings; they are enforced by Exchange Online once the user is authenticated.

1. Disable “Mobile device contact sync” in the default OWA policy

What the setting does

• In Outlook on the web / new Outlook for Windows, this controls whether users can sync personal contacts from mobile devices into their mailbox (and vice versa, depending on client behavior).
• In the EAC, this is under Features → Communication management → “Mobile device contact sync”.

Security impact (benefits)

• Reduces risk of data leakage between corporate and personal ecosystems:
  • Prevents corporate contacts from being copied to unmanaged mobile address books via OWA-related features.
  • Reduces the chance that personal contacts are pulled into the corporate environment unintentionally.
• Aligns with Zero Trust principles of limiting uncontrolled data flows between managed and unmanaged contexts.

User experience impact (trade‑offs)

• Users lose convenience of automatic contact sync between mobile devices and OWA/new Outlook for Windows.
• Users may need to:
  • Manually maintain contacts in Outlook and on their mobile device, or
  • Rely on managed Outlook mobile apps (with Intune/App Protection) for contact sync instead of OWA-based mechanisms.

When this is typically acceptable

• When the organization already standardizes on Outlook for iOS/Android with Intune or other MDM/UEM for contact sync and caller ID.
• When contact data is considered sensitive and must not leave managed apps/devices.

2. Restrict OWA File Access on public/shared computers

What the setting does

• In the OWA policy Access → File access, unchecking “Let users open files attached to email messages when using a public or shared computer” restricts how attachments can be accessed when the session is marked as “public/shared”.
• Users can still typically view attachments via Office Online, depending on the rest of the file access configuration, but cannot download or open them directly on the public/shared device.

Security impact (benefits)

• Strong protection against data leakage on unmanaged or shared endpoints:
  • Prevents saving attachments to local disks, USB drives, or browser download folders on kiosks or shared PCs.
  • Reduces risk of sensitive files being left behind on hotel, library, or shared office computers.
• Aligns with Zero Trust guidance to limit attachment handling on unmanaged devices. Similar controls are also available via Set-OwaMailboxPolicy -ConditionalAccessPolicy ReadOnly or ReadOnlyPlusAttachmentsBlocked for unmanaged devices.

User experience impact (trade‑offs)

• Users on public/shared computers:
  • Cannot directly download attachments to the machine.
  • May be limited to viewing/editing via Office Online only.
• Users on trusted, managed devices are less affected if they choose “private computer” when signing in, assuming the policy allows more permissive access for private computers.

When this is typically acceptable

• When the organization wants to allow webmail access from anywhere but strictly control where files can be downloaded.
• When combined with Conditional Access and device compliance policies for richer control on managed devices.

3. Set OWA Offline Access to “Never” in the default policy

What the setting does

• In Access → Offline access, setting “Never” disables Outlook on the web’s offline mode.
• This prevents OWA from caching mailbox data locally in the browser for offline use.

Security impact (benefits)

• Reduces local data residue on endpoints:
  • No offline cache of messages, calendar, or contacts stored in the browser’s local storage.
  • Particularly valuable on unmanaged, shared, or lightly managed devices where browser data may persist.
• Limits exposure if a device is lost, stolen, or used by multiple people.

User experience impact (trade‑offs)

• Users cannot:
  • Read previously opened emails or calendar items when offline.
  • Compose and queue messages offline in OWA.
• Impact is minimal for users who primarily work on always‑connected corporate devices or use full Outlook clients.

When this is typically acceptable

• In most enterprise environments where offline webmail is not a critical requirement.
• Especially where there is concern about cached data on unmanaged or BYOD endpoints.

Hybrid + Okta considerations

• These OWA mailbox policy settings are enforced by Exchange Online after authentication; they are independent of whether authentication is via Okta or Microsoft Entra ID.
• In a hybrid environment:
  • Policies apply to mailboxes in Exchange Online (where OWA is hosted).
  • On‑premises OWA (if still used) is controlled by separate on‑prem OWA policies.
• Okta SSO/MFA protects sign‑in, but does not control what happens to data once the user is in OWA; these OWA policies complement Okta by constraining data handling and storage.

Summary of trade‑offs

• Overall security gain:
  • Less data leakage to unmanaged mobile contacts.
  • Stronger protection against attachment download on public/shared devices.
  • No offline OWA cache on endpoints.
• Overall UX cost:
  • Reduced convenience for contact sync.
  • More friction for users working from public/shared devices who need to download attachments.
  • No offline webmail experience.

For an E5‑licensed organization following Zero Trust principles, these changes are generally aligned with best practices, especially if Outlook for iOS/Android and managed PCs are the primary clients and OWA is treated as a controlled, online‑only access path.

---

References:

• Create a mailbox policy in Exchange Online for Outlook on the web and the new Outlook for Windows
• View or modify policy properties in Exchange Online for Outlook on the web and the new Outlook for Windows
• Recommended policies for specific Microsoft 365 workloads