In this scenario

We will demonstrate how to block downloading files from Outlook on the web and only save them to OneDrive using -ConditionalAccessPolicy PowerShell parameter with set-OwaMailboxPolicy

Applied to online OneDrive and Sharepoint Online

The ConditionalAccessPolicy parameter specifies the Outlook on the Web Policy for limited access. For this feature to work properly, you also need to configure a Conditional Access policy in the Azure Active Directory Portal.

Note: When you enable a Conditional Access policy, users will no longer be able to access the light version of Outlook on the web. An error message will direct them to use the default premium experience.

Steps

• Connect to PowerShell online management shell for exchange
• Create new OWA mailbox policy
• Create a group for the required uses to block them from downloading
• Create conditional access policy in azure
• Create application enforced restrictions conditional access
• Test our policy from blocked user and unblocked user
• Confirm it is working fine
• Remove the policy
• Reference for all the links and commands

Connect to PowerShell online management shell for exchange

Install-Module -Name ExchangeOnlineManagement

#Installing the PowerShell module

Update-Module -Name ExchangeOnlineManagement

#Update to the latest Version

Connect-ExchangeOnline

# connect to exchange online

Get-OwaMailboxPolicy | Fl -Property ident*

Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -ConditionalAccessPolicy ReadOnly Get-OwaMailboxPolicy | select-object ConditionalAccess* 

First get the OWA mailbox policy and check it is name:

Create new OWA mailbox policy

• ReadOnly: Users can't download attachments to their local computer and can't enable Offline Mode on non-compliant computers. They can still view attachments in the browser.

• ReadOnlyPlusAttachmentsBlocked: All restrictions from ReadOnly apply, but users can't view attachments in the browser.

Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -ConditionalAccessPolicy ReadOnly

Then get the configuration

Get-OwaMailboxPolicy | select-object ConditionalAccess* 

Optional you can crate group to apply conditional access to or just apply it to all users

Crate conditional access policy now and choose the group you want

And choose office 365exhange online

Note: I have added sharepoint also cause I ll create the same restrictions for OneDrive in a later post

Use app enforced restriction

Testing

Now I sent to the user who isnt member of the blocked group in azure conditional access

He supposed to be able to download

Confirm it is working fine

If you want to remove the policy

Remove-OwaMailboxPolicy -Identity name

Reference for all the links and commands

Conditional Access in Outlook on the web for Exchange Online - Microsoft Tech Community

Limit Access to Outlook Web Access, SharePoint Online and OneDrive using Conditional Access App Enforced Restrictions | Modern Workplace Blog (vansurksum.com)

Set-OwaMailboxPolicy (ExchangePowerShell) | Microsoft Docs

Session controls in Conditional Access policy - Azure Active Directory | Microsoft Docs