Do You Really Want OWA Users to Access Third Party File Providers?
Those who browse the deep recesses of Microsoft documentation often find unannounced pleasures awaiting their delight. Such is the case of Set-OWAMailboxPolicy, where the ThirdPartyFileProvidersEnabled setting is documented. Despite the best efforts of Vasil Michev (the esteemed technical editor of the Office 365 for IT Pros eBook), the setting seems to be not well known. It deserves more.
By default, the setting is false, which means that OWA users can’t access third-party file providers like Box, Google Drive, or Dropbox to upload attachments. Before users can access a third-party file provider, they must authenticate their account (including an MFA challenge if MFA is enabled for the account) and give access to OWA.
Once the connection is made between the third-party file provider and OWA, the user can browse for attachments. Here’s what it looks like for a Dropbox account.
Goodness and Badness
There’s goodness and badness in allowing users to access third-party file providers. It’s good that they attach files stored in the providers to bring them into Exchange Online and so expose the content to Office 365 data governance. It’s bad if it encourages the long-term use of third-party file providers for business information. Each organization will have to make up its mind how to handle the situation and decide if they want to enable access to other file services.
Discovering Who Can Use Third-Party File Providers
To check what OWA mailbox policies allow access to third-party file providers, use the command:
Get-OwaMailboxPolicy | Format-Table Name, ThirdPartyFileProvidersEnabled Name ThirdPartyFileProvidersEnabled ---- ------------------------------ OwaMailboxPolicy-Default True Restricted Download Access False OWAFullAccess True NoOfflineAccess True
We can see that three of the OWA mailbox policies allow third-party file providers. To discover the mailboxes covered by these policies, use the command:
Get-Mailbox -RecipientTypeDetails UserMailbox | Get-CasMailbox |? {$_.OWAMailboxPolicy -ne "Restricted Download Access"} | Format-Table DisplayName
We use Get-Mailbox to feed a filtered list of user mailboxes (excluding room, shared, discovery, and resource mailboxes) to Get-CasMailbox, check what OWA mailbox policy applies to each , and output a list of names. Simple!
For more information about OWA (but not third-party file providers), see Chapter 10 of the Office 365 for IT Pros eBook.
Can Outlook for iOS be locked down like this to block Box, DropBox, Onedrive (non business)?
With Intune? I don’t know because I haven’t tried. But I will ask.
We’re actually using AirWatch MDM and the Outlook for iOS configuration settings can be locked down to not allow allow adding a personal email account using the configuration string IntuneMAMAllowedAccountsOnly with IntuneMAMUPN which seems to work for blocking a user adding a personal email account. But it does not lock down adding 3rd party storage services like Box, DropBox, Google Drive, ideally we do not want these to even appear in the list of options. It’s possible to integrate AirWatch with Intune app protection policies but could not see how to do it with those.
From the Intune people:
Yes, an Intune app protection policy configured with “Send org data to other apps” will prevent the scenario or ensure if the data gets transferred that it is encrypted and inaccessible on the third-party storage platform. They can also use the “Save copies of Org data” setting to prevent data being saved to the local device.