Exchange Online OWA Mailbox Security Controls

Exchange Online OWA Mailbox Policy Security Controls

This page documents the audit and recommended configuration enforced by the script asd-owamail-get.ps1 for Outlook on the Web (OWA) mailbox policies in Exchange Online. It mirrors the style of other ASD control pages and is intended as a practical guide for running the assessment and interpreting the results.

• Script: asd-owamail-get.ps1
• Baseline JSON (default): https://raw.githubusercontent.com/directorcia/bp/main/ASD/Exchange-Online/Roles/owamail.json
• Related: ASD Mail Flow controls (asd-mailflow-get.ps1)

---

What this checks

The script validates your tenant's OWA mailbox policies against an ASD-aligned baseline. By default it evaluates the policy named OwaMailboxPolicy-Default and the settings listed below. If your baseline JSON includes more policies, each will be assessed.

Setting	Recommended	Rationale (short)
InstantMessagingEnabled	true	Enables M365-integrated IM in OWA where permitted
TextMessagingEnabled	true	Allows SMS notifications for calendar/alerts
ActiveSyncIntegrationEnabled	false	Reduce legacy/mobile integration surface from OWA
ContactsEnabled	true	Standard OWA address book features
LinkedInEnabled	false	Blocks third‑party social integration in OWA
MobileDeviceSyncEnabled	true	Enable supported device sync pathways
AllAddressListsEnabled	true	Allow All Address Lists in OWA
JournalingEnabled	false	Journaling is handled elsewhere; keep OWA simple
NotesEnabled	true	Permit notes in OWA
RulesEnabled	true	Client rules available within OWA
RecoverDeletedItemsEnabled	true	End‑user self‑service recovery
ChangePasswordEnabled	true	Allow password change from OWA
ThemesEnabled	true	Non‑security UI preference
PremiumClientEnabled	true	Full OWA experience
EmailSignatureEnabled	true	End‑user signatures
WeatherEnabled	true	Non‑security UI feature; benign
PlacesEnabled	false	Reduce exposure of location data in OWA
LocalEventsEnabled	false	Reduce exposure of 3rd‑party local event data
InterestingCalendarsEnabled	false	Prevent subscription to external calendars
CalendarEnabled	true	Core OWA functionality
TasksEnabled	true	Core OWA functionality
RemindersAndNotificationsEnabled	true	Standard end‑user notifications
PublicFileAccessEnabled	false	Block public file links from OWA
PrivateFileAccessEnabled	true	Allow private file integration
OfflineAccessEnabled	"Always"	Allow OWA offline mode for resilience

Note: Recommended values come from the baseline JSON referenced above. Update the JSON to fit your specific risk profile, then re‑run the script.

---

How the script works

1. Loads the baseline JSON (default from GitHub or -BaselinePath).
2. Validates schema: the root object contains one or more policy names; each is a settings object.
3. Imports/loads ExchangeOnlineManagement and connects to Exchange Online (reuses existing session if present).
4. Reads policies via Get-OwaMailboxPolicy.
5. For each policy and each setting in the baseline, compares current vs required value.
6. Produces:
   • Console summary
   • Always: HTML report (styled, with colored summary and a PASS/FAIL table)
   • Optional: CSV export (-ExportToCSV)
   • Optional: log file (-DetailedLogging)

---

Prerequisites

• PowerShell 5.1+ or PowerShell 7.x
• Module: ExchangeOnlineManagement
• Permissions (any of): Global Reader, Exchange Administrator, View‑Only Organization Management, Compliance Administrator
• Internet access if using the default baseline URL

Install the module if needed:

Install-Module ExchangeOnlineManagement -Scope CurrentUser

---

Usage

Basic run:

./asd-owamail-get.ps1

Export CSV as well:

./asd-owamail-get.ps1 -ExportToCSV

Custom baseline and output paths:

./asd-owamail-get.ps1 -BaselinePath "C:\Config\owamail.json" -ExportToCSV -CSVPath "C:\Reports\owapolicy.csv"

Enable detailed logging:

./asd-owamail-get.ps1 -DetailedLogging -LogPath "C:\Logs\owapolicy.log"

---

Output

• HTML report: asd-owamail-get-<timestamp>.html (created in the parent directory of the script; auto‑opened)
• CSV (optional): Policy, Setting, CurrentValue, RequiredValue, Status
• Log (optional): detailed steps and errors

Interpreting results:

• PASS: Current value equals required value (case‑insensitive for strings). null required value matches any current value.
• FAIL: Value differs or property/policy is missing.

---

Remediation (examples)

Use Set-OwaMailboxPolicy to align settings. For example:

# Target the default policy
$policy = "OwaMailboxPolicy-Default"

Set-OwaMailboxPolicy -Identity $policy -InstantMessagingEnabled $true
Set-OwaMailboxPolicy -Identity $policy -TextMessagingEnabled $true
Set-OwaMailboxPolicy -Identity $policy -ActiveSyncIntegrationEnabled $false
Set-OwaMailboxPolicy -Identity $policy -LinkedInEnabled $false
Set-OwaMailboxPolicy -Identity $policy -PublicFileAccessEnabled $false -PrivateFileAccessEnabled $true
Set-OwaMailboxPolicy -Identity $policy -OfflineAccessEnabled Always

Important: Validate each change against your org’s requirements and change control processes.

---

Customising the baseline

• Edit or replace the JSON at -BaselinePath.
• Add additional policies as new top‑level properties (e.g. "Owa Policy – Kiosk" : { ... }).
• Each property under a policy is the setting name from Get-OwaMailboxPolicy.

Schema example:

{
  "OwaMailboxPolicy-Default": { "SettingName": true },
  "OwaMailboxPolicy-Kiosk":   { "SettingName": false }
}

---

Troubleshooting

• Module not found: install ExchangeOnlineManagement and restart PowerShell.
• Connection issues: close old shells, re‑run; ensure MFA/conditional access prompts are satisfied.
• Missing policy: create it or remove from baseline; otherwise all its settings will report FAIL.
• HTML not opening: open the generated file manually from Explorer.

---

References

• Baseline JSON (OWA policies): https://raw.githubusercontent.com/directorcia/bp/main/ASD/Exchange-Online/Roles/owamail.json
• ASD Mail Flow controls: https://github.com/directorcia/bp/wiki/Exchange-Online-Mail-Flow-Security-Controls
• ASD Blueprint Mail Flow settings: https://blueprint.asd.gov.au/configuration/exchange-online/settings/mail-flow/

---

Last updated: generated for the asd-owamail-get.ps1 script to accompany the HTML/CSV outputs.

---

Detailed security controls and PowerShell (per setting)

The sections below mirror the style used in other security control pages: each control includes the recommendation, what it does, how to check it, and how to configure it using Exchange Online PowerShell. Replace $policy with the target OWA mailbox policy name (for example, OwaMailboxPolicy-Default).

Check pattern

Get-OwaMailboxPolicy -Identity $policy | Format-List <SettingName>

Configure pattern

Set-OwaMailboxPolicy -Identity $policy -<SettingName> <Value>

InstantMessagingEnabled

• Recommended: true
• Rationale: Enable integrated presence and chat where permitted.
• Check:

Get-OwaMailboxPolicy -Identity $policy | fl InstantMessagingEnabled

• Configure:

Set-OwaMailboxPolicy -Identity $policy -InstantMessagingEnabled $true

TextMessagingEnabled

• Recommended: true
• Rationale: Allow SMS notifications for calendar/alerts.
• Check:

Get-OwaMailboxPolicy -Identity $policy | fl TextMessagingEnabled

• Configure:

Set-OwaMailboxPolicy -Identity $policy -TextMessagingEnabled $true

ActiveSyncIntegrationEnabled

• Recommended: false
• Rationale: Reduce legacy mobile integration surface via OWA.
• Check:

Get-OwaMailboxPolicy -Identity $policy | fl ActiveSyncIntegrationEnabled

• Configure:

Set-OwaMailboxPolicy -Identity $policy -ActiveSyncIntegrationEnabled $false

ContactsEnabled

• Recommended: true
• Check:

Get-OwaMailboxPolicy -Identity $policy | fl ContactsEnabled

• Configure:

Set-OwaMailboxPolicy -Identity $policy -ContactsEnabled $true

LinkedInEnabled

• Recommended: false
• Rationale: Block third‑party social integration.
• Check:

Get-OwaMailboxPolicy -Identity $policy | fl LinkedInEnabled

• Configure:

Set-OwaMailboxPolicy -Identity $policy -LinkedInEnabled $false

MobileDeviceSyncEnabled

• Recommended: true
• Check:

Get-OwaMailboxPolicy -Identity $policy | fl MobileDeviceSyncEnabled

• Configure:

Set-OwaMailboxPolicy -Identity $policy -MobileDeviceSyncEnabled $true

AllAddressListsEnabled

• Recommended: true
• Check:

Get-OwaMailboxPolicy -Identity $policy | fl AllAddressListsEnabled

• Configure:

Set-OwaMailboxPolicy -Identity $policy -AllAddressListsEnabled $true

JournalingEnabled

• Recommended: false
• Rationale: Keep journaling out of end‑user OWA context (if used, handle centrally).
• Check:

Get-OwaMailboxPolicy -Identity $policy | fl JournalingEnabled

• Configure:

Set-OwaMailboxPolicy -Identity $policy -JournalingEnabled $false

NotesEnabled

• Recommended: true
• Check:

Get-OwaMailboxPolicy -Identity $policy | fl NotesEnabled

• Configure:

Set-OwaMailboxPolicy -Identity $policy -NotesEnabled $true

RulesEnabled

• Recommended: true
• Check:

Get-OwaMailboxPolicy -Identity $policy | fl RulesEnabled

• Configure:

Set-OwaMailboxPolicy -Identity $policy -RulesEnabled $true

RecoverDeletedItemsEnabled

• Recommended: true
• Check:

Get-OwaMailboxPolicy -Identity $policy | fl RecoverDeletedItemsEnabled

• Configure:

Set-OwaMailboxPolicy -Identity $policy -RecoverDeletedItemsEnabled $true

ChangePasswordEnabled

• Recommended: true
• Check:

Get-OwaMailboxPolicy -Identity $policy | fl ChangePasswordEnabled

• Configure:

Set-OwaMailboxPolicy -Identity $policy -ChangePasswordEnabled $true

ThemesEnabled

• Recommended: true
• Check:

Get-OwaMailboxPolicy -Identity $policy | fl ThemesEnabled

• Configure:

Set-OwaMailboxPolicy -Identity $policy -ThemesEnabled $true

PremiumClientEnabled

• Recommended: true
• Rationale: Provide full OWA experience.
• Check:

Get-OwaMailboxPolicy -Identity $policy | fl PremiumClientEnabled

• Configure:

Set-OwaMailboxPolicy -Identity $policy -PremiumClientEnabled $true

EmailSignatureEnabled

• Recommended: true
• Check:

Get-OwaMailboxPolicy -Identity $policy | fl EmailSignatureEnabled

• Configure:

Set-OwaMailboxPolicy -Identity $policy -EmailSignatureEnabled $true

WeatherEnabled

• Recommended: true
• Check:

Get-OwaMailboxPolicy -Identity $policy | fl WeatherEnabled

• Configure:

Set-OwaMailboxPolicy -Identity $policy -WeatherEnabled $true

PlacesEnabled

• Recommended: false
• Rationale: Reduce exposure of location data in OWA UI.
• Check:

Get-OwaMailboxPolicy -Identity $policy | fl PlacesEnabled

• Configure:

Set-OwaMailboxPolicy -Identity $policy -PlacesEnabled $false

LocalEventsEnabled

• Recommended: false
• Check:

Get-OwaMailboxPolicy -Identity $policy | fl LocalEventsEnabled

• Configure:

Set-OwaMailboxPolicy -Identity $policy -LocalEventsEnabled $false

InterestingCalendarsEnabled

• Recommended: false
• Rationale: Prevent subscription to public/third‑party calendars.
• Check:

Get-OwaMailboxPolicy -Identity $policy | fl InterestingCalendarsEnabled

• Configure:

Set-OwaMailboxPolicy -Identity $policy -InterestingCalendarsEnabled $false

CalendarEnabled

• Recommended: true
• Check:

Get-OwaMailboxPolicy -Identity $policy | fl CalendarEnabled

• Configure:

Set-OwaMailboxPolicy -Identity $policy -CalendarEnabled $true

TasksEnabled

• Recommended: true
• Check:

Get-OwaMailboxPolicy -Identity $policy | fl TasksEnabled

• Configure:

Set-OwaMailboxPolicy -Identity $policy -TasksEnabled $true

RemindersAndNotificationsEnabled

• Recommended: true
• Check:

Get-OwaMailboxPolicy -Identity $policy | fl RemindersAndNotificationsEnabled

• Configure:

Set-OwaMailboxPolicy -Identity $policy -RemindersAndNotificationsEnabled $true

PublicFileAccessEnabled / PrivateFileAccessEnabled

• Recommended: PublicFileAccessEnabled = false, PrivateFileAccessEnabled = true
• Rationale: Disable public file link integrations while allowing private file access.
• Check:

Get-OwaMailboxPolicy -Identity $policy | fl PublicFileAccessEnabled,PrivateFileAccessEnabled

• Configure:

Set-OwaMailboxPolicy -Identity $policy -PublicFileAccessEnabled $false -PrivateFileAccessEnabled $true

OfflineAccessEnabled

• Recommended: Always
• Rationale: Enable offline resilience for OWA.
• Check:

Get-OwaMailboxPolicy -Identity $policy | fl OfflineAccessEnabled

• Configure:

Set-OwaMailboxPolicy -Identity $policy -OfflineAccessEnabled Always