Exciting additions to Office 365: OWA, Mail, and Outlook updates
Noteworthy new mail experiences in Office 365
With the continuous release model used in Office 365, it can be challenging to keep up with all updates Microsoft pushes to production or previews. Even though we still get “big bang” releases such as Office 2019 or the new OWA experience, it is common for features that can have a great impact on productivity or security to be released with just a brief mention in the patch notes or a blog post. In this article, we will take a look at a few recent email-related features that might have slipped under your radar but definitely deserve your attention.
OWA: limiting access to attachments
Large organizations often have issues with the “accessible from anywhere, at any time” nature of Office 365, and being able to impose different restrictions based on say, the network location of the user, or the device they are using is a common request. SharePoint Online introduced the “Limited access” feature a while back, leveraging the Conditional Access engine of Azure AD. Now, Exchange Online follows suit by becoming the second “cloud application” that supports the Conditional Access session restrictions control. The feature, referred to as Limited access for OWA, allows you to control how users work with attachments in both the new and old OWA experiences.
Unlike the ‘Limited access’ feature in SharePoint Online, where all the setup can be performed directly from the SharePoint Online Admin Center, you will have to manually create a Conditional Access policy in the Azure Portal in order to use this feature. To do this, you need to navigate to the Conditional Access blade, create a new policy and name it appropriately, then configure any conditions as necessary. Make sure to select Exchange Online under the Cloud apps condition, and to toggle the Use app enforced restrictions control. All the other settings can be set or ignored, depending on the type of policy you want to configure, and if needed you can create multiple policies.
Once a suitable policy has been created, you will need to perform some additional configuration on the Exchange Online side. Namely, you will have to create a new OWA Mailbox Policy and toggle the ConditionalAccessPolicy flag, then assign the said policy to each user you want to apply the restrictions to. The values you can use for the ConditionalAccessPolicy parameter are:
- Off: This means that no restrictions are being applied, even if a suitable Conditional Access policy is configured in the Azure AD portal.
- ReadOnly: This means that attachments can only be viewed in the confines of Office Online. No editing, printing or downloading will be allowed. In addition, the user will be unable to toggle Offline mode.
- ReadOnlyPlusAttachmentsBlocked: This is the most restrictive option, restricting even ‘View-only’ access to attachments in OWA.
In the example below, we have opted to configure the most restrictive option. Note that the ConditionalAccessFeatures attribute is not configurable, instead, it gets its values based on the value you configure for the ConditionalAccessPolicy, with each of the entries signifying a particular feature being disabled (such as Offline access or Printing).
Once the new OWA Mailbox policy has been created and configured, you will, of course, need to assign it to users via the Set-CasMailbox cmdlet. And if needed, you can also configure this on the default policy, so that it applies to all users.
Here’s how the limited access experience will look for any user under the effect of the policy. Since we used the most restrictive option, access to attachments is completely disabled and the user will not be able to perform any action on them (Note the lack of Download or Save to OneDrive links, as well as the lack of dropdown menu). This applies to both the new OWA experience (top) and the old one (bottom):
While the policy certainly does what it is meant to, the information displayed in the info tip on top of the message leaves something to be desired. It would be nice if it correctly represented the controls configured in the policy, which in my scenario most definitely do not include any requirements for domain-joined devices. Hopefully, this will be addressed in the future.
Lastly, it’s important to understand that while the policy prevents users from opening attachments, it does not stop them from composing new messages and attaching files, either directly or by using the “cloudy attachments” functionality. Luckily, there is another new feature that helps us address this scenario. Namely, a few new parameters of the Set-OWAMailboxPolicy cmdlet have been introduced, which we can use to block users from attaching files from different sources. The available parameters include:
- OneDriveAttachmentsEnabled: This controls attaching files directly from OneDrive for Business. The default value is True.
- ClassicAttachmentsEnabled: This controls attaching files from the local device. The default value is True.
- ReferenceAttachmentsEnabled: This controls the use of “cloudy attachments” or the “send as a link to file” functionality. The default value is True.
- ThirdPartyFileProvidersEnabled: This controls attachments from third-party services, such as Box, DropBox and so on. The default value is False.
- SaveAttachmentsToCloudEnabled: This controls saving an attachment directly to OneDrive for Business. The default value is True.
There are some minor UI issues with this feature, for example in the old OWA experience, it actually allows you to go over all the steps of the “attach file” process and only throws an error at the end. In contrast, in the new OWA experience the Attach button will be completely disabled as shown on the screenshot below:
Overall the feature works as expected and will prevent your users from being able to send files via OWA, as long as an appropriate OWA Mailbox policy is assigned to their mailbox. Combined with the Limited Access feature we described above, we now have much greater control over file access in OWA, and Microsoft has promised to continue building new experiences around Conditional Access for Exchange Online. In addition, Microsoft’s continued investment in the Cloud App Security suite makes it possible to enable even more interesting scenarios, such as the ones described by Mike a few days back the on the Practical 365 blog.
Outlook: Move messages asynchronously
The desktop Outlook application has received one of the best feature updates we’ve seen in many years – item copy/move operations are now performed asynchronously! Meaning Outlook will no longer “lock up” during the move, by displaying a modal dialog that prevents you from performing any other actions until the operation is complete. Instead, items are now moved in the background and you can happily continue your work with the client in the meantime.
In addition, a new “Message Manage Progress” dialog has been introduced, closely resembling the “Send/Receive Progress” dialog. The dialog can be opened by clicking the “Processing…” item on the status bar, however, it only seems to appear when you move messages between mailboxes (or from your main mailbox to the archive). The screenshot directly below illustrates the old dialog and new behavior is shown in the screenshot below that one:
This new behavior is available from version 1811 (Build 11029.20079) onwards and should be available for those of you on the semi-annual channel next month.
Another new addition is the updated “Add account” dialog, which is easi
er on the eyes compared to the previous iteration. The new dialog features a “reusability” design, allowing you to add multiple mailboxes in succession if needed. Here are some screenshots:
Automatically dismiss calendar reminders for past events
Another minor, but very welcome addition enables you to automatically dismiss Calendar reminders for any past events. No more having to go through gazillion notifications after you are back from vacation! You can find the relevant setting under File -> Options -> Advanced -> Reminders -> Automatically dismiss reminders for past events.
Outlook mobile: Open Shared Calendar
The mobile Outlook client has received a horde of updates recently, including one that has been a common ask for years – the ability to open a Shared calendar. This functionality leverages the new sharing model in Office 365 and will work for any calendar on which you have direct or indirect (Full Access) permissions granted. The steps to open the calendar are illustrated below:
1. Click the Calendar button in the top-left corner.
2. Select ‘Add a shared calendar’
3. Find the calendar you want to add.
4. As you can see, it will be added to the view, and you will be able to open it from here.
Although in some cases there might be a slight delay between adding the Shared calendar and the initial sync of events, overall the feature works like a charm and will surely be appreciated by Office 365 users. No love for Exchange on-premises users though!
Another interesting new feature that’s coming to an Outlook app near you is the External MailTips. Similar to the MailTips you can enable on the Outlook desktop client, the mobile app will also notify you with a yellow bar on top of the message that the audience of the message you are currently composing includes people external to the organization. Unlike the desktop MailTips however, this feature will not depend on the MailTipsExternalRecipientsTipsEnabled setting that you can configure server-side.
The feature is currently off by default and can only be enabled by performing additional configuration steps, as detailed here. By the end of the month it will be toggled on by default though, so you can enjoy yet another cool Outlook mobile feature in the near future!