Home Blog How to restrict downloading attachments from OWA?

How to restrict downloading attachments from OWA?

 2021/10/10   Microsoft Cloud Solutions   3306 visit(s)




In this scenario

We will demonstrate how to block downloading files from Outlook on the web and only save them to OneDrive using -ConditionalAccessPolicy PowerShell parameter with set-OwaMailboxPolicy

Applied to online OneDrive and Sharepoint Online

The ConditionalAccessPolicy parameter specifies the Outlook on the Web Policy for limited access. For this feature to work properly, you also need to configure a Conditional Access policy in the Azure Active Directory Portal.

Note: When you enable a Conditional Access policy, users will no longer be able to access the light version of Outlook on the web. An error message will direct them to use the default premium experience.


  • Connect to PowerShell online management shell for exchange
  • Create new OWA mailbox policy
  • Create a group for the required uses to block them from downloading
  • Create conditional access policy in azure
  • Create application enforced restrictions conditional access
  • Test our policy from blocked user and unblocked user
  • Confirm it is working fine
  • Remove the policy
  • Reference for all the links and commands


Connect to PowerShell online management shell for exchange

Install-Module -Name ExchangeOnlineManagement

#Installing the PowerShell module

Update-Module -Name ExchangeOnlineManagement

#Update to the latest Version


# connect to exchange online

Get-OwaMailboxPolicy | Fl -Property ident*

Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -ConditionalAccessPolicy ReadOnly Get-OwaMailboxPolicy | select-object ConditionalAccess* 


First get the OWA mailbox policy and check it is name:

Create new OWA mailbox policy

  • ReadOnly: Users can't download attachments to their local computer and can't enable Offline Mode on non-compliant computers. They can still view attachments in the browser.
  • ReadOnlyPlusAttachmentsBlocked: All restrictions from ReadOnly apply, but users can't view attachments in the browser.

Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -ConditionalAccessPolicy ReadOnly


Then get the configuration

Get-OwaMailboxPolicy | select-object ConditionalAccess* 


Optional you can crate group to apply conditional access to or just apply it to all users


Crate conditional access policy now and choose the group you want

And choose office 365exhange online

Note: I have added sharepoint also cause I ll create the same restrictions for OneDrive in a later post

Use app enforced restriction


Now I sent to the user who isnt member of the blocked group in azure conditional access

He supposed to be able to download

Confirm it is working fine

If you want to remove the policy


Remove-OwaMailboxPolicy -Identity name

Reference for all the links and commands


Conditional Access in Outlook on the web for Exchange Online - Microsoft Tech Community

Limit Access to Outlook Web Access, SharePoint Online and OneDrive using Conditional Access App Enforced Restrictions | Modern Workplace Blog (vansurksum.com)

Set-OwaMailboxPolicy (ExchangePowerShell) | Microsoft Docs

Session controls in Conditional Access policy - Azure Active Directory | Microsoft Docs


Search the Blog

Subscribe Blog



IT & Cyber-Security Solutions

Best-in-class cyber security solutions to ...


Microsoft Cloud Solutions

Explore Ctelecoms extensive selection of ...


Datacenter Solutions

Solve issues, streamline operations, promote ...


Cloud Backup & Disaster Recovery Solutions

Keep your data, apps, emails and operations ...


Computing & Hyper-converged Infrastructure Solutions

Take your IT infrastructure to the next level ...


Unified Communications & Networking Solutions

Ensure you are securely connected with all ...


Meraki Networking Solutions

Quickly deploy a reliable, secure, cloud-managed ...