OWA Attachment Controls in Office 365

A customer recently asked for the following settings I want to block users from downloading attachments in OWA (Outlook on the Web) but allow them to edit documents in Office Online.

Simple enough scenario or so I thought!

Looking at the GUI the only option you have under file access is “Direct file access” which allows full control and downloading of documents. Turning this off blocks all file attachments from editing, downloading or saving to OneDrive for Business.

Ok so lets look under the hood in PowerShell or owamailboxpolicy the options available to us that we want to look at are as follows:

DirectFileAccessOnPublicComputersEnabled	Specifies left-click and other options available for attachments when the user has signed in to Outlook Web App from a computer outside of a private or corporate network. If this parameter is set to $true,Open and other options are available. If it’s set to $false, the Open option is disabled.
DirectFileAccessOnPrivateComputersEnabled
ForceWacViewingFirstOnPublicComputers	Specifies whether a user who signed in to Outlook Web App from a computer outside of a private or corporate network can open an Office file directly without first viewing it as a webpage.
ForceWacViewingFirstOnPrivateComputers
ForceWebReadyDocumentViewingFirstOn PublicComputers*	Specifies whether a user who has signed in to Outlook Web App can open a document directly without first viewing it as a webpage.
ForceWebReadyDocumentViewingFirstOn PrivateComputers*
WacViewingOnPublicComputersEnabled	Specifies whether a user who has signed into Outlook Web App from a computer outside of the corporate network can view supported Office files using Outlook Web App.
WacViewingOnPrivateComputersEnabled
WebReadyDocumentViewingOnPublic ComputersEnabled*	Specifies whether WebReady Document Viewing is enabled when the user has signed in from a computer outside of the corporate network.
WebReadyDocumentViewingOnPrivate ComputersEnabled*

*Although this commands appears if you run a set-owamailboxpolicy you CANNOT update the settings

Now the first item I will point out is how does Office 365 know what is public or private. Well the short answer is it doesn’t! Everything is private.

Well how can it….Well with some further digging you need ADFS deployed and a claim rule as follows as this will identify the location of the users.

Below I will describe how to configure the controls as requested.

First of all in PowerShell you need to run set-organizationconfig -publiccomputersdetectionenabled $true

Then within ADFS you need to do the following (This is based on ADFS 2.0 once carried out on ADFS 3.0 I will update):

1. On the Start Screen, type AD FS Management, and then press Enter.
2. In AD FS console tree, under AD FS\Trust Relationships > Relying Party Trusts and select O365 Identity Platform.
3. In O365 Identity Platform, click Edit Claim Rules > Add Rule > Issuance Transform Rules.
4. On the Select Rule Template page, under Claim rule template, select Send Claims Using a Custom Rule from the list, and then click Next.
5. On the Configure Rule page under Claim rule name type the display name for this rule.
6. Under Custom rule, input the following:exists ([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) => issue(Type = "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value = "false");
7. Next, input the following: NOT exists ([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) => issue(Type = "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value = "true");
8. Click Finish.
9. In the Edit Claim Rules dialog box, click OK to save the rule.

Then once you have set the above within your OWA Mailbox Policy set the following:

Set-OwaMailboxPolicy -identity MyOWAPolicy -DirectFileAccessOnPrivateComputersEnabled $false -ForceWacViewingFirstOnPrivateComputers $true -WacViewingOnPrivateComputersEnabled $true

Finally apply the policy to the user(s) this will apply to.

Now what the above configuration will do is stop users from downloading attachments and allow them to edit and view within a browser.

Now if you want to set the same policy’s externally as well you can follow the steps switching the commands for public to private and you must use ADFS.