While working on one of my recent projects, the client had a requirement block access to webmail after migrating their email to Exhcange Online. I won’t go into details on why this requirement was there and if this is should be reconciderred when enabling a ‘modern workplace’ (anytime and anywhere, right?), but rather get in to the technique of blocking access to webmail through Conditional Access.
Why use condition access
Of course, you can block access to webmail through some settings in Exchange. Actually, the PowerShell command to set this up is pretty straightforward:
However, since we already take care of some security settings through conditonal access (like the requirement to use Multi Factory Authentcation in some scenarios), I’d rather arrange this through condional access as well. It also gives the added benefit of being able to (dis)allow the use of webmail through group memberships, which makes it easier to manage. Another big plus is the option to bypass the policy for certain IP-addresses, so you can enable webmail for internal use, but block it from outside the office, for example.
Set up the policy
Setting up the policy is pretty straigh forward. I’ll name the policy ‘Block OWA Access’, target it to just my user and specify ‘Exchange Online’ as the cloud app to be hit by this policy.
As condition, we’ll set the client app to be the browser.
Ofcourse we need to set the policy to block access and enable it.
That’s it. If everything is well, we should now be denied access to webmail.
End user experience
When an end user tries to access OWA and is hit by the policy, access to webmail is denied.
Limited access to webmail
Using conditional access, you could allow access to OWA while blocking specific actions. For this, I set the policy to grant access but use conditional acces app control in the session blade. For this example I use the pre-build control of block downloads, but you can create your own policies through the Cloud App Security Portal.
With this pre-build control, we grant access to OWA, but block the ability to download files.
End user experience
When loging in, the user is prompted that access to Exchange Online is protected.
I can access webmail just as regularly, and the download button for my attachments is still available.
When clicking the download button however, a message is displayed that the download is blocked. There is a file being downloaded, but this is just a placeholder file stating that the actual download was blocked.
Using these set of controls, we can pretty much block anything we want to. What is your favorite feature?