Secure data on O365

Secure data on O365

Secure data on O365

Conditional access is a very interesting feature. It provides an additional level of security. Indeed, access to applications (sharepoint, exchange, etc.) as well as to data can only take place if the user complies with certain conditions. It is common to see conditional access activated to ensure that the MFA is activated or that compliance rules are respected.

We will see a new example. I want to make sure that access to Exchange Online or Sharepoint Online from an IP range or a country gives read-only access to the users concerned by the policy.

Configure OWA for limited Access

We are going to proceed with the configuration of OWA (Outlook web access) to allow the activation of Conditional Access Applied Enforced Restrictions. This feature is by default disabled, so it is necessary to proceed to its activation. Open a Powershell command prompt and enter the command :

$Credentials = Get-Credential

Enter Office 365 admin credential and click on OK. The credential for connect to Exchange Online has been stored on $Credential variable.

Secure data on O365 - Enter Office 365 Admin credential

Run the following command for connect to Exchange Online platform.

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $Credentials -Authentication Basic -AllowRedirection
Secure data on O365 - Connect to Exchange Online

Import the Cmdlets with :

Import-PSSession $Session
Secure data on O365 - Import CmdLet Powershell

For configure Outlook Web Access Policy, run the following command .

Set-OwaMailBoxPolicy -Identity OwaMailboxPolicy-Default -ConditionalAccessPolicy ReadOnly

The modification is immediate but may take time to really be taken into account.

Secure data on O365 - Configure OWA Mailbox Policy

You can very the modification with :

Get-OwaMailboxPolicy | select conditionalAccess*
Secure data on O365 - Verify parameter

Close the session on Exchange Online with :

Remove-PSSession $Session
Secure data on O365 - Close PSsession

Configure Sharepoint Online and Onedrive

Sharepoint Online and Onedrive will be configured to use the conditional access policy. From the Microsoft 365 Admin center, click on Sharepoint.

Access to Microsoft Sharepoint

Click on Policies, Access control then on Unmanaged devices.

Configure Access Policies on Sharepoint for Unmanaged devices

Check Allow limited, web-only access and click on Save.

Configure Limited access on Sharepoint

Configure Conditional Access Policy

From the Azure AD portal (, click on Azure Active Directory then on Security.

Configure Conditional Access Policy

Click on Named location for configure new location (ip address range or country).

Create new location

Click on New location

Create new location

Enter the name of the location and select IP range or Country. Click on Create for create the new location.

Configure location

On the Policies, two new policy has been created for Sharepoint. You can delete this two and create your own policy.

Conditional access policy has been created for sharepoint

From the Policies click on New Policy.

Create new policy

Enter the name of your policy and click on Users.

Enter the name of Conditional Access Policy

Select the desired object (groups, users, etc.).

Select Desired Groups

Click on Cloud Apps or actions and select Exchange Online and/or Sharepoint online.

Configure Cloud Apps

Click on Session and check use app enforced restrictions. Click on Select. Select On for enable policy then click on Create.

Configure Conditional Access policy for Read Only mode

Test conditional access policy

The policy has been created. I sign in on Office 365 portal with user. On Exchange Online, Email has been on Read Only mode.

Mailbox has been on Read Only mode

I can read the file but i can’t print or download.

The file can't be printed

On One Drive, the file can’t be downnloaded or printed.

Print and download is disabled

I can open the file on Word but print is not available.

file cant be downloaded

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.