Administering Client Access Policies in Exchange Online: OWA, Mobile Devices, and Conditional Access
1. What are client access policies?
Client access policies control:
- Which clients users can use
- Outlook desktop
- Outlook on the web (OWA)
- Mobile clients (iOS, Android via ActiveSync / modern auth)
- What features those clients have
- Attachments, offline access, contact sync, etc.
You configure this in three main layers:
- Outlook on the web (OWA) mailbox policies
- Mobile device access + mobile device mailbox policies
- Entra Conditional Access policies
2. Outlook on the web (OWA) policies
What is Outlook on the web?
- Browser-based access to mailbox and settings.
- Former names: Outlook Web Access, Outlook Web App.
Default policy
- A default OWA policy exists: OWAMailboxPolicy-Default
- Controls things like:
- Instant messaging
- Text messaging
- Unified messaging
- Contacts access
- Mobile/LinkedIn contact sync
- Journaling
- Weather, places, local events
- Direct file access
- Offline access
- Attachment / file type handling
Where to manage
- Exchange admin center (EAC)
- PowerShell
Key PowerShell cmdlets
Create a new policy:
New-OwaMailboxPolicy -Name "Sales"
View policy:
Get-OwaMailboxPolicy -Identity "Sales"
View specific setting (example: allowed file types):
Get-OwaMailboxPolicy -Identity "Sales" |
Format-Table Name, AllowedFileTypes
Change settings (example: allowed file types):
Set-OwaMailboxPolicy -Identity "Sales" `
-AllowedFileTypes ".docx",".xlsx",".pdf"
Exam idea: OWA policy = controls what users can do in Outlook on the web (features, file types, offline, etc.), not mailbox size or transport rules.
3. Mobile device access
Mobile device access covers:
- Which device types / OS versions can connect via Exchange ActiveSync
- What to do with unknown or specific devices (allow, block, quarantine)
Access levels
- Allow โ devices can sync.
- Block โ devices cannot connect.
- Quarantine โ device held until admin approves.
Organization-level settings (ActiveSync)
Set default handling:
Set-ActiveSyncOrganizationSettings `
-DefaultAccessLevel Allowed|Blocked|Quarantined `
-AdminMailRecipients "admin@contoso.com"
Device access rules
- Match on properties like DeviceOS (Android 5.0, Android 7.0, etc.).
- Can be created in:
- Exchange admin center โ Mobile โ Mobile device access
- PowerShell with
New-ActiveSyncDeviceAccessRule
Example:
New-ActiveSyncDeviceAccessRule `
-Name "Android 7.0" `
-QueryString "Android 7.0" `
-Characteristic DeviceOS `
-AccessLevel Allow
View rules:
Get-ActiveSyncDeviceAccessRule |
Format-Table Name, QueryString, AccessLevel
Key concept:
- Device access rule decides whether a given OS/device is allowed, blocked, or quarantined for ActiveSync.
4. Mobile device mailbox policies
These policies define security and password requirements for mobile devices.
Scope
- Applied per user mailbox.
- You can have multiple policies for different user groups (e.g. default, Contoso Policy, Sales Policy).
Typical settings
- Allow devices that donโt fully support policies to sync (yes/no)
- Require password
- Allow simple passwords (e.g. 1111)
- Require alphanumeric password
- Require device encryption
- Minimum password length
- Number of failed attempts before wipe
- Idle time before re-entering password
- Password lifetime (days)
- Password recycle count
Where to manage
- Exchange admin center
- Recipients โ Mailboxes โ Mobile Device Mailbox Policy
- PowerShell
Create new policy:
New-MobileDeviceMailboxPolicy `
-Name "Contoso Sales Policy" `
-PasswordEnabled $true `
-AlphanumericPasswordRequired $true `
-MinPasswordLength 8 `
-PasswordRecoveryEnabled $true `
-RequireDeviceEncryption $true `
-AttachmentsEnabled $false `
-AllowStorageCard $false
Modify policy:
Set-MobileDeviceMailboxPolicy `
-Identity "Contoso Sales Policy" `
-MaxInactivityTimeDeviceLock 00:05:00
List policies:
Get-MobileDeviceMailboxPolicy |
Format-Table Name, IsDefault
Assign policy to a user (example):
Set-CASMailbox -Identity "Alex Wilber" `
-ActiveSyncMailboxPolicy "Contoso Sales Policy"
In the EAC or M365 admin center, you can also see:
- Alexโs mobile device policy
- Which email apps are allowed / blocked
5. Conditional access for client access
Entra Conditional Access adds another control layer on top of Exchange:
You can target:
- Users / groups / roles
- Cloud apps (e.g. Office Exchange Online)
- Conditions:
- Device platforms (iOS, Android, Windows, macOS)
- Client apps:
- Browser
- Mobile apps & desktop clients (modern auth)
- Exchange ActiveSync clients
- โOtherโ legacy clients
- Locations, sign-in risk, device state, etc.
Example scenario (from demo)
Policy: Restrict client types for Exchange
- Users: Only Alex Wilber
- Cloud app: Office Exchange Online
- Condition โ Device platforms: Android
- Grant: Block access
Result:
If Alex signs in to Exchange from an Android device, access is blocked.
Another example: block legacy auth clients:
- Condition โ Client apps:
- Exclude modern auth apps
- Include Exchange ActiveSync and Other clients
- Grant โ Block
Or allow but require extra controls:
- Grant โ Allow
- Require MFA
- Require compliant device
- Require Hybrid Azure AD joined device, etc.
Important warnings
- CA policies can lock you out if misconfigured.
- Avoid using All users + All cloud apps with harsh controls until tested.
- Often recommended to:
- Start with pilot group.
- Have break-glass accounts excluded from CA.
6. Putting it all together
Think in layers:
- OWA policies
- What users can do in Outlook on the web (file types, offline, features).
- Mobile device access + mobile device mailbox policies
- Which devices/OSes are allowed to connect with ActiveSync.
- Security requirements (password, encryption, wipe on failures).
- Entra Conditional Access
- High-level rules based on user, device platform, client app, location, compliance, etc.
- Can block or allow with conditions for Exchange Online and other apps.
