How to Prevent Data Leaks: Controlling Windows Apps Email Access with Microsoft Intune
Data leaks don’t always come from hackers — sometimes, they start with a simple app request. Many Windows apps can access user emails if not properly restricted.
Microsoft Intune offers a built-in solution for this through the “Let Apps Access Email” policy, which lets IT admins block or allow email access on managed Windows devices.
What This Policy Does
The Let Apps Access Email policy determines whether Universal Windows Platform (UWP) apps or other Windows applications can access user email data.
You can set a default rule for all apps or make exceptions for trusted apps using their Package Family Names (PFNs).
Key benefits:
- Stronger security: Stop unapproved apps from reading or sending corporate emails.
- Compliance control: Ensure only authorized clients handle work data.
- Lower risk: Reduce accidental data exposure through personal or consumer apps.
- Balance: Keep users productive without compromising security.
Real-World Scenarios
🔒 Scenario 1 – Blocking Consumer Apps
You configure the policy to Force Deny all apps.
A user installs a third-party “Mail Organizer” from the Microsoft Store — it’s blocked from accessing the company’s email, even if the user tries to allow it manually.
✅ Scenario 2 – Allowing Trusted Tools
Your help desk system uses a secure app that reads support emails to create tickets.
You whitelist it by adding its Package Family Name (PFN) and apply a Force Allow rule only for that app.
Step-by-Step Configuration Guide
Step 1 – Open the Intune Admin Center
- Go to Microsoft Intune Admin Center.
- Navigate to Devices → Windows → Configuration → Create → New policy.
Step 2 – Create a Policy Profile
- Platform: Windows 10 and later
- Profile type: Settings catalog
- Click Create
Step 3 – Name the Policy
- Name: Block Apps Email Access Policy
- Optional description: Prevents unauthorized apps from accessing corporate emails
- Click Next
Step 4 – Configure Settings
- Click + Add settings
- Search for Privacy
- Choose Let Apps Access Email
- Add it to the policy and close the picker
Step 5 – Choose Your Setting
| Setting | Description |
|---|---|
| User is in control | Users decide via Settings → Privacy |
| Force Allow | All apps can access email (cannot be changed by users) |
| Force Deny | Blocks all apps from accessing email (cannot be changed) |
| Don’t configure | Uses Windows default behavior |
Most organizations start with Force Deny to protect data, then allow exceptions as needed.
Step 6 – Assign and Deploy
- Under Assignments, choose target user or device groups.
- Click Next → Review + Create → Create.
Monitoring Policy Deployment
Check in Intune
- Navigate to Devices → Configuration profiles.
- Find your policy and review Device Status and User Status — it should show Succeeded.
Verify on Windows Client
- Open Event Viewer.
- Go to
Applications and Services Logs → Microsoft → Windows → DeviceManagement-Enterprise-Diagnostics-Provider → Admin - Look for Event ID 813 (policy applied successfully).
Advanced Configuration
Using Custom OMA-URI
If you prefer a custom CSP approach:
- OMA-URI Path:
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessEmail - Values:
0= User in control1= Force allow2= Force deny
Group Policy Equivalent
You can apply the same configuration through Group Policy:
Path:Computer Configuration → Windows Components → App Privacy → Let Windows apps access email
Managing and Removing the Policy
To Remove Group Assignments
- Open your policy in Intune.
- Edit the Assignments tab.
- Remove selected groups.
To Delete the Policy
- Go to Devices → Configuration.
- Select the policy.
- Click Delete.
Technical Details
| Item | Details |
|---|---|
| Supported platforms | Windows 10 version 1607 (10.0.14393) and later |
| CSP Path | ./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessEmail |
| Registry Key | Software\Policies\Microsoft\Windows\AppPrivacy |
| Data Type | String (chr) |
| Access Type | Add, Delete, Get, Replace |
Best Practices
- Start with Force Deny for maximum data protection.
- Whitelist apps only after proper security vetting.
- Document exceptions with business justification.
- Pilot first before a full rollout.
- Review logs and reports regularly to ensure compliance.
Conclusion
With Intune’s Let Apps Access Email policy, you gain precise control over which apps can interact with corporate email data. This prevents unauthorized access and data leaks without affecting legitimate workflows.
Security shouldn’t sacrifice productivity — test, refine, and deploy with care to achieve the right balance.
