Exchange Mobile Device Policies (OWA)

OWA mailbox policies are a set of configuration rules applied to user mailboxes that control the features and security behaviors of Outlook on the web (formerly Outlook Web App). They exist because organizations need to enforce security and compliance policies on web-based email access, especially from mobile devices and unmanaged browsers. Unlike full MDM solutions, OWA policies are lightweight and apply at the Exchange Online level, requiring no device enrollment. The MS-102 exam focuses on these policies as a key tenant management tool.

When a user accesses their mailbox via OWA (https://outlook.office.com), the Exchange Online front-end server evaluates the OWA mailbox policy assigned to that user. The policy is stored as an object in Exchange Online and contains a set of Boolean, integer, and string parameters. The evaluation occurs at the start of each OWA session, and the policy settings dictate what UI elements are visible and what actions are permitted. For example, if the parameter -AllowExternalSenders is set to $false, the OWA interface will not show the option to add external recipients in the To field. The policy is retrieved from the user's mailbox properties via the Get-CASMailbox cmdlet, which shows the OwaMailboxPolicy property. The default policy is named "Default" and is applied to all users who do not have a custom policy.

OWA mailbox policies contain dozens of parameters. The MS-102 exam tests the following critical ones: - -AllowExternalSenders: Default $true. When $false, users cannot send email to external (non-tenant) recipients via OWA. - -BlockExternalImages: Default $true. When $true, external images in HTML emails are blocked by default; users can click to download. - -AllowCopyContactsToDeviceAddressBook: Default $true. When $false, users cannot sync OWA contacts to their mobile device's address book. - -OWALightEnabled: Default $true. Controls whether the light version of OWA is available for slow connections. - -DefaultTheme: String specifying the theme name. Default is blank (no custom theme). - -LogonAndErrorLanguage: Integer for language locale. Default is 0 (system default). - -UseGB18030: Default $false. Affects character encoding for Chinese users. - -AllowOfflineOn: Options: NoComputers, AllComputers. Default is AllComputers. Controls whether cached offline mode is allowed. - -SetPhotoAvailable: Default $true. When $false, users cannot see or set their mailbox photo. - -GroupCreationEnabled: Default $true. When $false, users cannot create distribution groups or Microsoft 365 groups via OWA. - -NotesEnabled: Default $true. Controls the Notes feature in OWA. - -RecoverDeletedItemsEnabled: Default $true. When $false, users cannot recover deleted items from the Recoverable Items folder via OWA. - -InstantMessagingEnabled: Default $true. Controls integration with Teams/Skype for Business. - -TextMessagingEnabled: Default `$true. Controls SMS text messaging features. - -ForceSaveAttachmentFiltering: Default `$false`. When `$true`, forces attachment scanning. - -AllowUserVoiceMail: Default `$true. Controls voice mail options. - -PublicFoldersEnabled: Default $true. When $false, public folders are not accessible via OWA.

There are no specific timers associated with OWA policies; they are session-based and evaluated at login. However, policy changes take effect immediately for new sessions; existing sessions may need to refresh or log out/in.

OWA mailbox policies are managed via Exchange Online PowerShell (EXO V2 module). The key cmdlets are: - Get-OwaMailboxPolicy - lists all policies. - New-OwaMailboxPolicy - creates a custom policy. - Set-OwaMailboxPolicy - modifies policy parameters. - Remove-OwaMailboxPolicy - deletes a policy. - Set-CASMailbox - assigns a policy to a user. - Get-CASMailbox - shows which policy a user has.

Example: Create a new policy named "RestrictExternal" that blocks external senders and disables contact sync:

New-OwaMailboxPolicy -Name "RestrictExternal"
Set-OwaMailboxPolicy -Identity "RestrictExternal" -AllowExternalSenders $false -AllowCopyContactsToDeviceAddressBook $false

Assign to user:

Set-CASMailbox -Identity user@domain.com -OwaMailboxPolicy "RestrictExternal"

Verify:

Get-CASMailbox -Identity user@domain.com | Select-Object OwaMailboxPolicy

Note: The default policy cannot be deleted. Custom policies can be assigned to multiple users. If a user has no explicit policy, they get the default.

OWA mailbox policies interact with: - Mobile Device Management (MDM): MDM policies (via Intune) are device-level and require enrollment. OWA policies are mailbox-level and do not require enrollment. They can complement each other; for example, MDM can enforce device encryption, while OWA policies can block external recipients. - ActiveSync Policies: ActiveSync policies apply to devices using the Exchange ActiveSync protocol (native mail apps on iOS/Android). OWA policies apply only to the web interface. However, many settings overlap (e.g., allow external recipients). The exam tests that OWA policies do not affect ActiveSync clients unless specifically configured via other means. - Conditional Access Policies: Azure AD Conditional Access can enforce MFA or block access based on location or device compliance, but it does not control OWA features like external recipients. OWA policies are more granular for feature control. - Compliance Policies: Data loss prevention (DLP) and retention policies operate at the message level, not the UI level. OWA policies can prevent users from performing actions (like forwarding to external) that would bypass DLP.

The default OWA mailbox policy is named "Default" and is applied to all mailboxes that do not have a custom policy. You cannot delete it, but you can modify its settings. However, best practice is to leave the default as-is and create custom policies for specific user groups. The exam often tests that custom policies override the default when assigned.

Below is a list of commonly tested parameters with their default values and effects:

| Parameter | Default | Effect when set to $false | |-----------|---------|---------------------------| | AllowExternalSenders | $true | Cannot send to external recipients | | BlockExternalImages | $true | External images blocked by default | | AllowCopyContactsToDeviceAddressBook | $true | Cannot sync contacts to device | | OWALightEnabled | $true | Light version disabled | | AllowOfflineOn | AllComputers | Offline mode disabled on all computers | | GroupCreationEnabled | $true | Cannot create groups | | NotesEnabled | $true | Notes feature hidden | | RecoverDeletedItemsEnabled | $true | Cannot recover deleted items | | InstantMessagingEnabled | $true | IM integration disabled | | TextMessagingEnabled | $true | SMS features disabled | | PublicFoldersEnabled | $true | Public folders not accessible |

Note: Some parameters like -SetPhotoAvailable and -ForceSaveAttachmentFiltering are also tested occasionally.

ActiveSync policies are applied to devices using the Exchange ActiveSync protocol. They include security settings like password requirements, device encryption, and inactivity lock. OWA policies are for the web interface. The exam often includes a question where you must choose which policy to modify to block external recipients in OWA (answer: OWA mailbox policy) versus blocking external recipients on mobile devices (answer: ActiveSync policy or mail flow rule).

Mail flow rules can also block external recipients, but they work at the transport level, not the UI level. OWA policies prevent the user from even composing a message to an external recipient, while mail flow rules reject or redirect messages after they are sent. The exam may test that OWA policies provide a proactive block versus reactive block.

When creating custom policies, always use descriptive names. Use Get-OwaMailboxPolicy to view all settings before modifying. To see the current policy for a user, use Get-CASMailbox. To see all users with a specific policy, use:

Get-CASMailbox -ResultSize Unlimited | Where-Object {$_.OwaMailboxPolicy -eq "PolicyName"}

If a user reports that a setting is not working: 1. Confirm the policy is assigned correctly. 2. Check if the user is accessing OWA from a mobile browser (some settings may behave differently, but OWA policies still apply). 3. Ensure the user is not using a third-party app that bypasses OWA. 4. Clear browser cache and cookies. 5. Verify that the policy has not been overridden by a higher-level policy (e.g., Conditional Access or MDM).

Scenario 1: A company wants to prevent users from sending emails to external domains via OWA. Solution: Set -AllowExternalSenders $false on the OWA mailbox policy.

Scenario 2: A company wants to disable offline access in OWA. Solution: Set -AllowOfflineOn NoComputers.

Scenario 3: A user complains they cannot see the Notes feature. Check if -NotesEnabled is set to $false.

Scenario 4: A user cannot recover deleted items. Check -RecoverDeletedItemsEnabled.

OWA mailbox policies are a lightweight but powerful way to control the OWA experience. They are a core part of tenant management in MS-102. Understanding the exact parameters, defaults, and how to assign them via PowerShell is essential for the exam. Remember: OWA policies apply only to the web interface, not to mobile apps or desktop Outlook.

In a large enterprise with 10,000 users, the IT team implemented OWA mailbox policies to meet compliance requirements. The company needed to prevent all users from sending emails to external domains via OWA to reduce data exfiltration risk. They created a custom policy named "NoExternal" with -AllowExternalSenders $false and assigned it to all users via a PowerShell script that looped through all mailboxes. However, they discovered that executives needed to send external emails, so they created a second policy "Executives" with -AllowExternalSenders $true and assigned it to a security group. The challenge was that the default policy still applied to any new users not in the script, so they set the default policy to also block external senders. This worked, but they had to ensure that the executive policy was assigned before the default policy took effect. At scale, performance is not an issue because policies are stored in the mailbox database and evaluated per session. A common misconfiguration is forgetting to assign the policy after creation, leaving users on the default. Another scenario involved a healthcare organization that needed to disable offline access to patient data. They set -AllowOfflineOn NoComputers on all OWA policies. However, they also had ActiveSync policies for mobile devices, and some users complained they could still access offline data via mobile apps. This was because OWA policies do not affect ActiveSync; they had to configure mobile device policies separately. The lesson: OWA policies are only for the web interface. In a third scenario, a university wanted to allow students to use OWA but block them from creating groups. They set -GroupCreationEnabled $false on the student policy. However, students could still create groups via Teams or Outlook desktop. The IT team realized that OWA policies only prevent group creation via the OWA interface; they had to use other controls for other clients. This highlights the importance of understanding the scope of OWA policies. When misconfigured, users may experience unexpected behavior, such as being unable to reply to external emails because -AllowExternalSenders also blocks replies. The exam often tests this nuance.