Exchange Online – Attachment handling in Outlook on the web

Customers who completely prohibit access to webmail may have a few security concerns. In a Modern Workplace scenario, all users must be able to access their email at any time and from any location. One of the major improvements we have seen from Outlook web access and now Outlook on the web which gives all the rich client end user experiences we see on the Outlook client. However, attachments can pose a significant security concern if Outlook on the web is permitted to be accessed from non-managed machines without any security implementation or if no data loss prevention mechanism in place.

There are two options to handle this scenario at this moment and we will go through them on this blog.

Use Organizational Config ,Mailbox Policy & ADFS claim rules Method :

We can use mailbox policy settings to define whether users can open, view, send, or receive attachments when they are signed into Outlook on the web, including whether the user is on a computer that is part of a private or public network.

We have the PublicComputersDetectionEnabled organization value which can help us to prevent downloading the attachments from the non managed computers. The PublicComputersDetectionEnabled parameter determines whether Outlook on the web detects whether a user logs in from a public or private computer or network, and subsequently applies the public network’s attachment handling settings. $false is the default value. If you set this option to $true, however, Outlook on the web will detect if the user is logging in from a public computer, all attachment handling rules will be applied and enforced.

We can check that by running the below command.

Now we run the below command and enable the PublicComputersDetectionEnabled value to True

Set-OrganizationConfig -PublicComputersDetectionEnabled:$True

Create a new owamailbox policy and enable the public attachment handling with below process:

DirectFileAccessOnPublicComputersEnabled
Specifies left-click and other options available for attachments when the user has signed in to Outlook on the web from a computer outside of a private or corporate network. If this parameter is set to $true, Open and other options are available. If it’s set to $false, the Open option is disabled.

ForceWacViewingFirstOnPublicComputers
Specifies whether a user who signed in to Outlook on the web from a computer outside of a private or corporate network can open an Office file directly without first viewing it as a webpage.

WacViewingOnPublicComputersEnabled
Specifies whether a user who has signed into Outlook on the web from a computer outside of the corporate network can view supported Office files using Outlook on the web.

Set-OwaMailboxPolicy -Identity MyOWAPublicPolicy -DirectFileAccessOnPublicComputersEnabled $true -ForceWacViewingFirstOnPublicComputers $true -WacViewingOnPublicComputersEnabled $true

In our example have created a new owamailbox policy and have enabled the required parameters we saw above with description to True.

Having done these configuration on the Exchange Online part, now we need to make some configuration on the ADFS with the ADFS claim rules. These rules detect whether the attachment is coming from an internal or external network.

When a user accesses Exchange Online from outside the corporate network, the ADFS proxy server sends the value x-ms-proxy to the ADFS server, which can be used to identify this classification.

Create an ADFS claim rule by following the below process. Since in my case I have Pass through Authentication enabled we are unable to show the demo from the ADFS management console. These below steps are from the Microsoft docs website.

On the Start Screen, type AD FS Management, and then press Enter.

In AD FS console tree, under AD FS\Trust Relationships > Relying Party Trusts and select O365 Identity Platform.

In O365 Identity Platform, click Edit Claim Rules > Add Rule > Issuance Transform Rules.

On the Select Rule Template page, under Claim rule template, select Send Claims Using a Custom Rule from the list, and then click Next.

On the Configure Rule page under Claim rule name type the display name for this rule.

Under Custom rule, input the following: exists ([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy”%5D) => issue(Type = “http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork”, Value = “false”);

Next, input the following: NOT exists ([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy”%5D) => issue(Type = “http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork”, Value = “true”);

Click Finish.

In the Edit Claim Rules dialog box, click OK to save the rule.

This is the first option we can do the attachment handling in Outlook on the web. We can use mailbox policy settings to define whether users can open, view, send, or receive attachments when they are signed into Outlook on the web, including whether the user is on a computer that is part of a private or public network.

Use OwaMailboxPolicy and Conditionalaccess :

We may manage the attachment handling in Outlook by using a custom enforcement Conditional Access Policy and allowing additional parameters on the owa mailbox policy.

To start with this we have to enable certain parameters on the owa mailbox policy.

The parameter that needs to be enabled is ConditionalAccessPolicy. This parameter specifies the Outlook on the Web Policy for limited access.

Below are the controls that we can enforce.

Off: No conditional access policy is applied to Outlook on the web. This is the default value.
ReadOnly: Users can’t download attachments to their local computer, and can’t enable Offline Mode on non-compliant computers.They can still view attachments in the browser.
ReadOnlyPlusAttachmentsBlocked: All restrictions from ReadOnly apply, but users can’t view attachments in the browser.

When we check these values before turning them these are the default results

We can run the below command to set them to read only.

Set-OwaMailboxPolicy -Identity ConditionalAccessEnforced -ConditionalAccessPolicy ReadOnly

After it has been enabled we see the below values it has populated on the conditional access features. We could also notice that the attachmentprintwithoutdownload is also been added to the conditional access features.

Now having completed this we need to create the associated conditional access policy by adding Exchange Online and enabling the features that is required to make this functionality work.

We create the conditional access policy with the below configuration.

In our example we are creating a new conditional access policy with the below name and selecting the cloud apps only Exchange Online after targeting them to a specific group of people in the organization.

Later we go to the session and use app enforced restrictions. Doing this will take all the policy enforced restrictions that we have applied within the Exchange Online. So in our example it will trigger the owamailbox policy with the attachment handling settings we have for Outlook on the web.

So after we have completed this configuration inorder to test it further we have applied this owa mailbox policy as well as enforced the conditional access to the user Clen Richard below. The moment when the policy enforced user opens the email with attachment from webmail he is presented with the below message on the screen that states that he can only view attachments in the browser.

Furthermore when hovering the mouse towards the dropdown of the attachment the download option is not present anymore.

When looking in the Online mode we also get the below information.

We were able to handle attachments in OWA from Public Locations with just a few clicks.
This option has been available for a long time, and enabling it can tremendously help organizations who want to utilize Outlook on the web while maintaining security.

Regards

Sathish Veerapandian

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: