• François Peroux

How-To block download attachment in Outlook Web Access (OWA)

Updated: Jul 25, 2018


By default, OWA (Outlook Web Access) has been built to let users to access their emails from anywhere and any device - through a web browser.

In the era of BYOD (Bring Your Own Device), data can now be saved anywhere and become uncontrollable.

To keep company information in a controllable space, you can implement security measures and mitigation to avoid data leakage.

For this situation, Office365 Exchange Online proposes security control to restrict attachment download within OWA.

Use Cases

The best use cases are:

  • Restrict user to download any attachment from Outlook Web Access.

  • Another point is these users have to save the documents on your business OneDrive space only.

The restriction can be applied and targeted per user, this has to be scripted - see the Appendix for the script.

Note: to have a good security combination, use this restriction with:


The process to restrict attachment download in OWA is pretty simple.

1. Click on permissions.

2. Click on Outlook Web App policies.

A default policy is already created. You can create a new one (by clicking +) or editing the default (by clicking the pencil).

If you edit the default, all the person in the company will be affected. If you create a new OWA policy, you can assign it to the person you want to target.

  • In both case, to restrict download attachment, proceed as follows:

1. Under the policy of your choice, click on file access part.

2. Uncheck Direct file access (checked by default).

3. Click on Save.

After a while, the policy applies to the users (for default or targeted policy).

User Experience

As a user perspective, the restriction is going to be seen as follows:

  • On OWA, when the user is accessing attachment options, only Preview and Save to OneDrive are available.

  • When the use is previewing the file, download is restricted with an explicit message and option is grayed out.


By this simple restriction, you can avoid and control data leakage.

This security measure is not annoying for your users; they can save data in the company storage space (OneDrive/SharePoint).


To script and apply the new policy created also, to target the users of your choice, you can use the following script:

1. Create a CSV file with two information required for the script:

Identity (user's email address),Owa policy name

2. Save the CSV file under the root of your user folder (C:\Users\...).

3. Launch the following script:

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session

$OwaUsers = Import-Csv -Path .\OwaList.csv

ForEach($OwaUser in $OwaUsers)

{Set-CASMailbox -Identity $OwaUser.identity -owamailboxpolicy $OwaUser.owapolicy}





Security Consultant

  • Twitter Icône sociale