Block webmail access using conditional access

While working on one of my recent projects, the client had a requirement block access to webmail after migrating their email to Exhcange Online. I won’t go into details on why this requirement was there and if this is should be reconciderred when enabling a ‘modern workplace’ (anytime and anywhere, right?), but rather get in to the technique of blocking access to webmail through Conditional Access.

Why use condition access

Of course, you can block access to webmail through some settings in Exchange. Actually, the PowerShell command to set this up is pretty straightforward:

Set-CasMailbox -Identity -OWAEnabled $false

However, since we already take care of some security settings through conditonal access (like the requirement to use Multi Factory Authentcation in some scenarios), I’d rather arrange this through condional access as well. It also gives the added benefit of being able to (dis)allow the use of webmail through group memberships, which makes it easier to manage. Another big plus is the option to bypass the policy for certain IP-addresses, so you can enable webmail for internal use, but block it from outside the office, for example.

Set up the policy

Setting up the policy is pretty straigh forward. I’ll name the policy ‘Block OWA Access’, target it to just my user and specify ‘Exchange Online’ as the cloud app to be hit by this policy.

Creating the policy

As condition, we’ll set the client app to be the browser.

Select browser as client app

Ofcourse we need to set the policy to block access and enable it.

Block access

That’s it. If everything is well, we should now be denied access to webmail.

End user experience

When an end user tries to access OWA and is hit by the policy, access to webmail is denied.

Block access

Limited access to webmail

Using conditional access, you could allow access to OWA while blocking specific actions. For this, I set the policy to grant access but use conditional acces app control in the session blade. For this example I use the pre-build control of block downloads, but you can create your own policies through the Cloud App Security Portal.

Access app control

With this pre-build control, we grant access to OWA, but block the ability to download files.

End user experience

When loging in, the user is prompted that access to Exchange Online is protected.

Logon warning

I can access webmail just as regularly, and the download button for my attachments is still available.

Webmail view

When clicking the download button however, a message is displayed that the download is blocked. There is a file being downloaded, but this is just a placeholder file stating that the actual download was blocked.

Download blocked

Using these set of controls, we can pretty much block anything we want to. What is your favorite feature?