Policy recommendations for securing email
This article describes how to implement the recommended Zero Trust identity and device access policies to protect organizational email and email clients that support modern authentication and conditional access. This guidance builds on the Common identity and device access policies and also includes a few additional recommendations.
These recommendations are based on three different tiers of security and protection that can be applied based on the granularity of your needs: starting point, enterprise, and specialized security. You can learn more about these security tiers and the recommended client operating systems in the recommended security policies and configurations introduction.
These recommendations require your users to use modern email clients, including Outlook for iOS and Android on mobile devices. Outlook for iOS and Android provide support for the best features of Microsoft 365. These mobile Outlook apps are also architected with security capabilities that support mobile use and work together with other Microsoft cloud security capabilities. For more information, see Outlook for iOS and Android FAQ.
Update common policies to include email
To protect email, the following diagram illustrates which policies to update from the common identity and device access policies.
Note that the addition of a new policy for Exchange Online to block ActiveSync clients. This policy forces the use of Outlook for iOS and Android on mobile devices.
If you included Exchange Online and Outlook in the scope of the policies when you set them up, you only need to create the new policy to block ActiveSync clients. Review the policies listed in the following table and either make the recommended additions, or confirm that these settings are already included. Each policy links to the associated configuration instructions in Common identity and device access policies.
Protection level | Policies | More information |
---|---|---|
Starting point | Require MFA when sign-in risk is medium or high | Include Exchange Online in the assignment of cloud apps |
Block clients that don't support modern authentication | Include Exchange Online in the assignment of cloud apps | |
Apply APP data protection policies | Be sure Outlook is included in the list of apps. Be sure to update the policy for each platform (iOS, Android, Windows) | |
Require approved apps and APP protection | Include Exchange Online in the list of cloud apps | |
Block ActiveSync clients | Add this new policy | |
Enterprise | Require MFA when sign-in risk is low, medium or high | Include Exchange Online in the assignment of cloud apps |
Require compliant PCs and mobile devices | Include Exchange Online in the list of cloud apps | |
Specialized security | Always require MFA | Include Exchange Online in the assignment of cloud apps |
Block ActiveSync clients
Exchange ActiveSync can be used to synchronize messaging and calendaring data on desktop and mobile devices.
For mobile devices, the following clients are blocked based on the Conditional Access policy created in Require approved apps and APP protection:
- Exchange ActiveSync clients that use basic authentication.
- Exchange ActiveSync clients that support modern authentication, but don't support Intune app protection policies.
- Devices that support Intune app protection policies, but aren't defined in the policy.
To block Exchange ActiveSync connections using basic authentication on other types of devices (for example, PCs), follow the steps in Block Exchange ActiveSync on all devices.
Limit access to Exchange Online from Outlook on the web
You can restrict the ability for users to download attachments from Outlook on the web on unmanaged devices. Users on these devices can view and edit these files using Office Online without leaking and storing the files on the device. You can also block users from seeing attachments on an unmanaged device.
Here are the steps:
Every Microsoft 365 organization with Exchange Online mailboxes has a built-in Outlook on the web (formerly known as Outlook Web App or OWA) mailbox policy named OwaMailboxPolicy-Default. Admins can also create custom policies.
To see the available Outlook on the web mailbox policies, run the following command:
Get-OwaMailboxPolicy | Format-Table Name,ConditionalAccessPolicy
To allow viewing attachments but no downloading, run the following command on the affected policies:
Set-OwaMailboxPolicy -Identity "<PolicyName>" -ConditionalAccessPolicy ReadOnly
For example:
Set-OwaMailboxPolicy -Identity "OwaMailboxPolicy-Default" -ConditionalAccessPolicy ReadOnly
To block attachments, run the following command on the affected policies:
Set-OwaMailboxPolicy -Identity "<PolicyName>" -ConditionalAccessPolicy ReadOnlyPlusAttachmentsBlocked
For example:
Set-OwaMailboxPolicy -Identity "OwaMailboxPolicy-Default" -ConditionalAccessPolicy ReadOnlyPlusAttachmentsBlocked
In the Azure portal, create a new Conditional Access policy with these settings:
Assignments > Users and groups: Select appropriate users and groups to include and exclude.
Assignments > Cloud apps or actions > Cloud apps > Include > Select apps: Select Office 365 Exchange Online.
Access controls > Session: Select Use app enforced restrictions.
Require that iOS and Android devices must use Outlook
To ensure that iOS and Android devices can access work or school content using Outlook for iOS and Android only, you need a Conditional Access policy that targets those potential users.
See the steps to configure this policy in Manage messaging collaboration access by using Outlook for iOS and Android.
Set up message encryption
With Microsoft Purview Message Encryption, which uses the protection features in Azure Information Protection, your organization can easily share protected email with anyone on any device. Users can send and receive protected messages with other Microsoft 365 organizations as well as non-customers using Outlook.com, Gmail, and other email services.
For more information, see Set up Message Encryption.
Next steps
Configure Conditional Access policies for: