Welcome back to my Exchange Online learning series! Today we dive into one of the most important—but often overlooked—administrative areas in Microsoft 365: Outlook Web Access (OWA) Policies.
If you’re learning Exchange Online from this blog, you’re about to gain deep expertise in configuring, securing, and customizing OWA at an enterprise level.
Outlook Web Access (OWA) Policies allow you to control what users can or cannot do inside Outlook on the web. From restricting attachments to disabling offline access, OWA policies give you powerful tools for security hardening and compliance.
By the end of this guide, you’ll understand OWA policies so well that you can configure them confidently in any organization—from small businesses to big regulated enterprises.
Table of Contents
1. What Are Outlook Web Access (OWA)?
Outlook Web Access (OWA) Policies are configuration profiles that apply restrictions, security controls, and feature settings to user mailboxes accessing from Outlook on the Web.
These policies help you control:
- What users can do inside OWA
- What features are enabled or disabled
- How attachments are handled
- Whether offline access is allowed
- The security posture of browser‑based email
Think of OWA Policies as your organization’s “browser security layer” for Exchange Online.
2. Why OWA Policies Matter
Most admins underestimate how much users rely on Outlook on the Web (OWA). It’s lightweight, fast, and available from any browser.
This also means:
- High risk of unauthorized access
- Higher likelihood of data leakage from shared or public computers
- Attack surface increases when users log in from untrusted networks
OWA Policies let you:
Strengthen browser‑based email security
Restrict sensitive operations
Improve compliance posture
Prevent risky features (e.g., attachments on unmanaged devices)
Standardize user experiences
For organizations concerned with data loss, OWA Policies are essential.
3. Default OWA Policy Behavior
By default, every mailbox receives:
- Global OWA policy from Exchange Online
- Full OWA feature set enabled
- No restrictions on attachments
- Offline access allowed
- Access from any browser
- All apps (Calendar, People, Tasks) visible
This is convenient but not secure enough for organizations handling:
- Financial data
- Legal documents
- Healthcare records
- Personally identifiable information (PII)
This is why custom OWA policies are important.
4. How OWA Policies Work
An OWA mailbox policy defines feature‑level controls for Outlook on the Web.
Once created, the policy can be:
- Assigned to a single mailbox
- Assigned to multiple mailboxes
- Used as default for the organization
The policy applies instantly once assigned and synced.
Key Facts About OWA Policies:
- A mailbox can have only one OWA policy
- Policies do not affect Outlook desktop or mobile
- Policies apply at the user level (not device level)
- Use PowerShell for advanced configurations
5. Creating an OWA Policy
There are two ways to create OWA policies: Exchange Admin Center (EAC) and PowerShell.
Using Exchange Admin Center
- Open Exchange Admin Center
- Navigate to Roles > Outlook web app policies
- Select New OWA policy
- Configure the required options
This is simple but limited.
6. Assigning an OWA Policy
You can assign an OWA Policy to a user from:
Exchange Admin Center
- Open a mailbox
- Go to Mailbox features
- Select Email apps & mobile devices
- Now clikc Manage settings for email apps
- Now select Outlook web app mailbox policy
- Save
PowerShell
Set-CASMailbox -Identity user@domain.com -OWAMailboxPolicy "Custom-OWA-Policy"Assigning via PowerShell is recommended for multiple users.
7. Key OWA Policy Settings Explained
This is where real OWA mastery begins. Let’s explore feature‑level controls.
7.1 Attachment Policies
You can control whether users:
- Download attachments
- View attachments
- Use WebReady Document Viewing
- Access attachments on public devices
Example Setting:
Disable all downloads:
Set-OWAMailboxPolicy -Identity "SecurePolicy" -DirectFileAccessOnPublicComputersEnabled $falseUseful for security‑sensitive organizations.
7.2 Offline Access
OWA’s offline mode caches:
- Emails
- Calendar
- Contacts
Disable if required:
Set-OWAMailboxPolicy -Identity "SecurePolicy" -AllowOfflineOn $falseRecommended for shared computer environments.
7.3 Calendar Restrictions
You can disable:
- Calendar sharing
- ICS publishing
- Calendar reminders
- RSVP features
Most organizations allow these, but restricting them is possible.
7.4 Instant Messaging (Skype for Business / Teams)
Old environments still support IM in OWA.
Disable it here:
Set-OWAMailboxPolicy -EnableInstantMessaging $false7.5 WebReady Document Viewing
OWA can convert Office files to browser‑readable HTML.
This is useful when:
- Office apps aren’t installed
- You want safer document previewing
Disable if you want to avoid unnecessary exposure:
Set-OWAMailboxPolicy -WebReadyDocumentViewingOnPublicComputersEnabled $false7.6 Navigation Restrictions
You can hide:
- Calendar
- People
- Tasks
- Attachments
- Options page
Example:
Set-OWAMailboxPolicy -IsMailboxVoicemailEnabled $falseThese controls help tailor the user interface.
8. OWA Policy Management via PowerShell
PowerShell gives you full control.
Create a policy
New-OWAMailboxPolicy -Name "RestrictedOWA"View all policy settings
Get-OWAMailboxPolicy | flModify a setting
Set-OWAMailboxPolicy -Identity "RestrictedOWA" -EnableReminders $falseAssign a policy
Set-CASMailbox -Identity user@domain.com -OWAMailboxPolicy "RestrictedOWA"Bulk assignment
Get-Mailbox -Filter * | Set-CASMailbox -OWAMailboxPolicy "CorpPolicy"PowerShell is mandatory for large organizations.
9. Real‑World Scenarios for OWA Policies
Let’s look at how these apply in real organizations.
Scenario 1: Finance Department Lockdown
Requirements:
- No attachments downloadable
- No offline access
- No external calendar sharing
OWA restrictions prevent data leak risks.
Scenario 2: Contractors and Temporary Employees
Limitations needed:
- No mailbox preview
- No calendar access
- No option page changes
OWA policies can limit exposure.
Scenario 3: Public Kiosks
Disable:
- Attachments
- Offline mode
- Calendar
- People pane
OWA policies secure shared environments.
10. OWA Policies in Hybrid Environments
In hybrid setups:
- OWA Policies apply only to cloud mailboxes
- On‑premises OWA policies are separate
- Policies do not sync between environments
- Use Exchange Online PowerShell for cloud policies
This is critical during migrations.
11. Comparing OWA Policies vs Mobile Device Policies
Many admins confuse these.
| Feature | OWA Policies | Mobile Policies |
|---|---|---|
| Browser access | ✔ | ✘ |
| Mobile app access | ✘ | ✔ |
| Attachment restrictions | ✔ | ✔ |
| Offline restrictions | ✔ | ✔ |
| Data leakage control | ✔ | ✔ |
Both are security tools but operate in different places.
12. Common Admin Mistakes
Here are common pitfalls:
Relying only on default policy
Default policies are very permissive.
Assigning wrong policies to users
Always test before rollout.
Forgetting to disable offline access
Especially on unmanaged devices.
Using GUI instead of PowerShell
GUI lacks deep configuration options.
Not documenting policies
Leads to confusion later.
Avoid these errors to maintain a secure environment.
13. Best Practices
Here are expert recommendations:
Create multiple policies based on user roles
Finance, HR, IT, contractors, interns.
Disable offline access on public devices
Prevents cached email storage.
Use “View Only” mode for high‑risk users
Improves security posture.
Enforce attachment restrictions
Avoid uncontrolled downloads.
Regularly review policy assignments
Make sure employees have the right policies.
Test every policy before full rollout
Avoid unexpected user disruptions.
OWA policies are crucial for security hardening.
Final Thoughts
Mastering Outlook Web Access (OWA) Policies is an essential skill for every Exchange Online administrator. These policies give you granular control over user experiences, security behaviors, and compliance requirements in browser-based email.
If you’re following my Exchange Online learning series, this guide should make you confident enough to create, assign, and manage OWA policies across any Microsoft 365 tenant—no matter how complex.
