Providing restricted access to Exchange and SharePoint Online on unmanaged devices

Users can access Website resources like Exchange Online (Outlook on the Web) (default) or SharePoint Online, or limit or block access to those resources based on their connected device state. Blocking access to unmanaged devices may bring productivity costs, however, limited access may allow users to remain productive on these devices and may also reduce data loss risks.


End users can remain productive while minimizing accidental data loss by limiting access on unmanaged devices. Using limited access, users with unmanaged devices will only be able to access files through a browser and will not be able to save, print, and sync files. Modern authentication is required for this. Authentication with legacy systems can be blocked for this reason.


The web applications can be configured to behave differently if the user is applicable for a Conditional Access policy where App Enforced restrictions are configured.


License / Setup Requirements

  • Azure AD Premium P1 license for CA Policy

  • Prerequisites for enabling the limited access experience with SharePoint and Exchange Online (global admin permissions required)

Creating a limited access environment for Exchange Online

Use Exchange Online PowerShell to enable Conditional Access (CA) for all users by using the default OwaMailboxPolicy


Since Conditional Access App Enforced Restrictions are by default disabled in OWA mailbox policies, you must first activate the feature using the Set-OwaMailboxPolicy cmdlet in the Exchange Online PowerShell module.


First identify the OwaMailboxPolicy using command,

Get-OwaMailboxPolicy | ft Name



Change the default OWA policy using below command:

Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -ConditionalAccessPolicy ReadOnly




Valid values for the -ConditionalAccessPolicy parameter are:

  • Off: No conditional access policy is applied to Outlook on the web. This is the default value.

  • ReadOnly: Users can’t download attachments to their local computer and can’t enable Offline Mode on non-compliant computers. They can still view attachments in the browser.

  • ReadOnlyPlusAttachmentsBlocked: All restrictions from ReadOnly apply, but users can’t view attachments in the browser

Validate the OWA configuration using below command:

Get-OwaMailboxPolicy | Select-Object ConditionalAccess* | fl


Note: Limited access is only available for Exchange Online accounts that have the ConditionalAccessPolicy setting set to ReadOnly (or ReadOnlyPlusAttachmentsBlocked)

The policy will take effect in a few hours. Users of non-compliant devices will no longer be able to download attachments from Outlook on the web once the new rule takes effect and when also part of ConditionalAccess Policy


Creating a limited access environment for SharePoint Online

Launch SharePoint Admin Portal and enable the limited access



Or Alternative set this via PowerShell Command

Set-SPOTenant -ConditionalAccessPolicy AllowLimitedAccess


Create ConditionalAccess Policy to apply on users


Select the users / security groups that you want to apply the policy to



Select Cloud Apps:

  • Exchange Online

  • SharePoint Online



In Sessions, Select Use app enforced restrictions



In the second CA policy (Block access for apps), the app is blocked from being accessed by unmanaged devices like Outlook, OneDrive etc.



End User Experience


Login to OWA, and validate the results



Similarly, OneDrive reflects below message.



1,072 views