Del via

Policy recommendations for securing email

  • Artikkel

This article describes how to protect cloud email and email clients by implementing the recommended Zero Trust identity and device access policies. This protection requires email clients and devices that support modern authentication and Conditional Access. This guidance builds on the Common identity and device access policies and also includes additional recommendations.

These recommendations are based on three different tiers of security and protection that can be applied based on the granularity of your needs: starting point, enterprise, and specialized security. You can learn more about these security tiers and the recommended client operating systems in the recommended security policies and configurations introduction.

These recommendations require using modern email clients on mobile devices. Outlook for iOS and Android supports the best features of Microsoft 365. The security capabilities in Outlook for iOS and Android support mobile use and work together with other Microsoft cloud security features. For more information, see Outlook for iOS and Android FAQ.

Update common policies to include email

To protect email, the following diagram illustrates which policies to update from the common identity and device access policies.

Diagram that shows the summary of policy updates for protecting access to Microsoft Exchange.

Notice the addition of a new policy for Exchange Online to block ActiveSync clients. This policy forces the use of Outlook for iOS and Android on mobile devices.

If you included Exchange Online and Outlook in the scope of the policies when you set them up, you only need to create the new policy to block ActiveSync clients. Review the policies listed in the following table and make the recommended additions for email or confirm that these settings are already included. Each policy links to the associated configuration instructions in Common identity and device access policies.

Protection level Policies More information
Starting point Require MFA when sign-in risk is medium or high Include Exchange Online in the assignment of cloud apps.
Block clients that don't support modern authentication Include Exchange Online in the assignment of cloud apps.
Apply APP data protection policies Be sure Outlook is included in the list of apps. Be sure to update the policy for each platform (iOS, Android, Windows).
Require approved apps or app protection policies Include Exchange Online in the list of cloud apps.
[Block ActiveSync clients](Block Exchange ActiveSync clients) Add this new policy.
Enterprise Require MFA when sign-in risk is low, medium, or high Include Exchange Online in the assignment of cloud apps.
Require compliant PCs and mobile devices Include Exchange Online in the list of cloud apps.
Specialized security Always require MFA Include Exchange Online in the assignment of cloud apps.

Block Exchange ActiveSync clients

ActiveSync is used to synchronize email and calendar data on desktop and mobile devices.

For mobile devices, the following clients are blocked based on the Conditional Access policy created in Require approved apps or app protection policies:

  • Exchange ActiveSync clients that use basic authentication.
  • Exchange ActiveSync clients that support modern authentication, but not Intune app protection policies.
  • Devices that support Intune app protection policies but aren't defined in the policy.

To block ActiveSync connections that use basic authentication on other types of devices (for example, PCs), follow the steps in Block Exchange ActiveSync on all devices.

Limit access to email attachments in Outlook on the web and the new Outlook for Windows

You can restrict users on unmanaged devices from downloading email attachments in Outlook on the web (formerly known as Outlook Web App or OWA) and in the new Outlook for Windows. Users can view and edit these files using Office Online without leaking and storing the files on the device. You can also block users from even seeing attachments in Outlook on the web and the new Outlook for Windows on unmanaged devices.

You enforce these restrictions using Outlook on the web mailbox policies in Exchange Online. Every Microsoft 365 organization with Exchange Online mailboxes has a built-in Outlook on the web mailbox policy named OwaMailboxPolicy-Default. By default, this policy is applied to all users. Admins can also create custom policies that apply to specific groups of users.

Here are the steps to limit access to email attachments:

  1. Connect to Exchange Online PowerShell.

  2. To see the available Outlook on the web mailbox policies, run the following command:

    Get-OwaMailboxPolicy | Format-Table Name,ConditionalAccessPolicy

  3. To allow viewing but not downloading attachments, replace <PolicyName> with the name of the affected policy, and then run the following command:

    Set-OwaMailboxPolicy -Identity "<PolicyName>" -ConditionalAccessPolicy ReadOnly

    For example:

    Set-OwaMailboxPolicy -Identity "OwaMailboxPolicy-Default" -ConditionalAccessPolicy ReadOnly

  4. To block viewing attachments, replace <PolicyName> with the name of the affected policy, and then run the following command:

    Set-OwaMailboxPolicy -Identity "<PolicyName>" -ConditionalAccessPolicy ReadOnlyPlusAttachmentsBlocked

    For example:

    Set-OwaMailboxPolicy -Identity "OwaMailboxPolicy-Default" -ConditionalAccessPolicy ReadOnlyPlusAttachmentsBlocked

  5. On the Conditional Access | Overview page in the Microsoft Entra portal at https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Overview, create a new Conditional Access policy with the following settings:

    • Assignments section:

      • Users: Select appropriate users and groups to include and exclude on the Include and Exclude tabs.
      • Target resources: Select what this policy applies to > Resources (formerly cloud apps) > Include tab > Select resources > Select > find and select Office 365 Exchange Online.

    • Access controls section: Session > select Use app enforced restrictions.

    • Enable policy section: Select On.

Require Outlook for iOS and Android on mobile devices

To require Outlook for iOS and Android for access to company data, you need a Conditional Access policy that targets those potential users.

Follow the steps to configure this policy in Manage messaging collaboration access by using Outlook for iOS and Android.

Set up message encryption

With Microsoft Purview Message Encryption, which uses protection features in Azure Information Protection, your organization can easily share protected email with anyone on any device. Users can send and receive protected messages with other organizations that use Microsoft 365, Outlook.com, Gmail, and other email services.

For more information, see Set up Message Encryption.

Next steps

Screenshot of the policies for Microsoft 365 cloud apps.

Configure Conditional Access policies for: