Exchange Online – Implement ‘Limited Access’ Conditional Access

You may already know that you can implement a ‘limited access’ conditional access for SharePoint Online and OneDrive for Business, allowing end-users to access content on SharePoint Online but not authorizing to download anything while accessing using non compliant devices.

Now, you can do the same for Exchange Online to allow your end-users accessing their mailbox using Outlook on the Web (aka Outlook Web Access) while the device they are using is identified as non compliant (like cybercafé).

To implement this ‘limited access’ conditional access you need to:

  • Connect to Exchange Online with PowerShell to enable the limited access capability – it is recommended to use the newest PowerShell module available here which supports MFA



  • Then create or edit an Outlook Web Access policy

Set-OwaMailboxPolicy –Identity <you OWA policy> -ConditionalAccessPolicy ReadOnly

  • Then you need to connect to your Azure AD portal or Azure portal to configure the conditional access for Exchange Online by accessing the Conditional Access configuration blade for your Azure AD


  • Create a new conditional access policy


  • Configure the policy as below:
    • Name: name it as you want; it is always to recommended to use an understandable name
    • Users and groups: define to which users/groups the policy will apply. As usual, first use a limited set of users for testing
    • Cloud Apps: select Office 365 Exchange Online
    • Other configuration options depend of your requirements
    • Session: enable the option Use app enforced restrictions


  • Once the policy is created and applied, next time your end-user will logon to OWA using a non compliant devices they will have limited access enabled, which will block files download and disable offline access

Leave a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.