Step-1

Connect to Exchange Online using PowerShell, this script for MFA enabled Admin Users.

 

#Import the module, requires that you are administrator and are able to run the script

Import-Module $((Get-ChildItem -Path $($env:LOCALAPPDATA+”\Apps\2.0\”) -Filter CreateExoPSSession.ps1 -Recurse ).FullName | Select-Object -Last 1)

#connect specifying username, if you already have authenticated to another moduel, you actually do not have to authenticate

Connect-EXOPSSession -UserPrincipalName Khalid@Microtechx.io

#This will make sure when you need to reauthenticate after 1 hour that it uses existing token and you don’t have to write password and stuff

$global:UserPrincipalName=”Khalid@Microtechx.io”

 

 

Script Link

Step-2

Check your Org wide OWAMailbox Policy

Get-OwaMailboxPolicy

Output like this, by default its off.

ConditionalAccessPolicy                             : Off

ConditionalAccessFeatures                           : {}

Step-3

Now check your OWAMailboxPloicy identity.

Get-OwaMailboxPolicy | Select Identity

 

Identity

——–

OwaMailboxPolicy-Default

Step-4

Now Configure OWAMailboxPolicy with Conditional Access Read-only mode.

Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -ConditionalAccessPolicy ReadOnly

 

 

This will be output after configurations.

ConditionalAccessPolicy                             : ReadOnly

ConditionalAccessFeatures                           : {Offline,

AttachmentDirectFileAccessOnPrivateComputersEnabled,

AttachmentDirectFileAccessOnPublicComputersEnabled,

AttachmentPrintWithoutDownload}

Now Configure Conditional access policy in Azure AD. (AAD P1 needed for conditional access)

 

 

 

 

This is end users experience. User alexw | there is only two possible ways Preview or Save to OneDrive for business which is fully complaint storage place and controlled by Org IT teams.

 

 

So, Organization allow users to work but in restricted mode from unmanaged devices.

 

Stay tuned for more……..