Skip to content

Commit 95ddb00

Browse files
KelvinTegelaarKelvinTegelaar
committed
WAAttachmentRestrictions
1 parent dd57785 commit 95ddb00

File tree

1 file changed

+137
-0
lines changed

1 file changed

+137
-0
lines changed

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOWAAttachmentRestrictions.ps1

Lines changed: 137 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,137 @@
1+
function Invoke-CIPPStandardOWAAttachmentRestrictions {
2+
<#
3+
.FUNCTIONALITY
4+
Internal
5+
.COMPONENT
6+
(APIName) OWAAttachmentRestrictions
7+
.SYNOPSIS
8+
(Label) Restrict Email Attachments on Unmanaged Devices
9+
.DESCRIPTION
10+
(Helptext) Restricts how users on unmanaged devices can interact with email attachments in Outlook on the web and new Outlook for Windows. Prevents downloading attachments or blocks viewing them entirely.
11+
(DocsDescription) This standard configures the OWA mailbox policy to restrict access to email attachments on unmanaged devices. Users can be prevented from downloading attachments (but can view/edit via Office Online) or blocked from seeing attachments entirely. This helps prevent data exfiltration through email attachments on devices not managed by the organization.
12+
.NOTES
13+
CAT
14+
Exchange Standards
15+
TAG
16+
"zero_trust"
17+
"unmanaged_devices"
18+
"attachment_restrictions"
19+
"data_loss_prevention"
20+
ADDEDCOMPONENT
21+
{"type":"select","name":"standards.OWAAttachmentRestrictions.ConditionalAccessPolicy","label":"Attachment Restriction Policy","options":[{"label":"Read Only (View/Edit via Office Online, no download)","value":"ReadOnly"},{"label":"Read Only Plus Attachments Blocked (Cannot see attachments)","value":"ReadOnlyPlusAttachmentsBlocked"}],"defaultValue":"ReadOnlyPlusAttachmentsBlocked"}
22+
IMPACT
23+
Medium Impact
24+
ADDEDDATE
25+
2025-08-22
26+
POWERSHELLEQUIVALENT
27+
Set-OwaMailboxPolicy -Identity "OwaMailboxPolicy-Default" -ConditionalAccessPolicy ReadOnlyPlusAttachmentsBlocked
28+
RECOMMENDEDBY
29+
"Microsoft Zero Trust"
30+
"CIPP"
31+
UPDATECOMMENTBLOCK
32+
Run the Tools\Update-StandardsComments.ps1 script to update this comment block
33+
.LINK
34+
https://docs.cipp.app/user-documentation/tenant/standards/list-standards
35+
https://learn.microsoft.com/en-us/security/zero-trust/zero-trust-identity-device-access-policies-workloads#exchange-online-recommendations-for-zero-trust
36+
#>
37+
38+
param($Tenant, $Settings)
39+
$TestResult = Test-CIPPStandardLicense -StandardName 'OWAAttachmentRestrictions' -TenantFilter $Tenant -RequiredCapabilities @('EXCHANGE_S_STANDARD', 'EXCHANGE_S_ENTERPRISE', 'EXCHANGE_LITE') #No Foundation because that does not allow powershell access
40+
41+
if ($TestResult -eq $false) {
42+
Write-Host "We're exiting as the correct license is not present for this standard."
43+
return $true
44+
} #we're done.
45+
46+
# Input validation
47+
$ValidPolicies = @('ReadOnly', 'ReadOnlyPlusAttachmentsBlocked')
48+
if ($Settings.ConditionalAccessPolicy.value -notin $ValidPolicies) {
49+
Write-LogMessage -API 'Standards' -tenant $Tenant -message "OWAAttachmentRestrictions: Invalid ConditionalAccessPolicy parameter set. Must be one of: $($ValidPolicies -join ', ')" -sev Error
50+
return
51+
}
52+
53+
try {
54+
# Get the default OWA mailbox policy
55+
$CurrentPolicy = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OwaMailboxPolicy' -cmdParams @{ Identity = 'OwaMailboxPolicy-Default' }
56+
} catch {
57+
$ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
58+
Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Could not get the OWA Attachment Restrictions state for $Tenant. Error: $ErrorMessage" -Sev Error
59+
return
60+
}
61+
62+
$StateIsCorrect = $CurrentPolicy.ConditionalAccessPolicy -eq $Settings.ConditionalAccessPolicy.value
63+
64+
if ($Settings.remediate -eq $true) {
65+
if ($StateIsCorrect) {
66+
Write-LogMessage -API 'Standards' -tenant $Tenant -message "OWA attachment restrictions are already set to $($Settings.ConditionalAccessPolicy)" -sev Info
67+
} else {
68+
try {
69+
$cmdParams = @{
70+
Identity = 'OwaMailboxPolicy-Default'
71+
ConditionalAccessPolicy = $Settings.ConditionalAccessPolicy.value
72+
}
73+
74+
New-ExoRequest -tenantid $Tenant -cmdlet 'Set-OwaMailboxPolicy' -cmdParams $cmdParams
75+
76+
$PolicyDescription = switch ($Settings.ConditionalAccessPolicy.value) {
77+
'ReadOnly' { 'Read Only (users can view/edit attachments via Office Online but cannot download)' }
78+
'ReadOnlyPlusAttachmentsBlocked' { 'Read Only Plus Attachments Blocked (users cannot see attachments at all)' }
79+
}
80+
81+
Write-LogMessage -API 'Standards' -tenant $Tenant -message "Successfully set OWA attachment restrictions to: $PolicyDescription" -sev Info
82+
} catch {
83+
$ErrorMessage = Get-CippException -Exception $_
84+
Write-LogMessage -API 'Standards' -tenant $Tenant -message "Could not set OWA attachment restrictions. $($ErrorMessage.NormalizedError)" -sev Error
85+
}
86+
}
87+
}
88+
89+
if ($Settings.alert -eq $true) {
90+
if ($StateIsCorrect) {
91+
$PolicyDescription = switch ($Settings.ConditionalAccessPolicy.value) {
92+
'ReadOnly' { 'Read Only (view/edit via Office Online, no download)' }
93+
'ReadOnlyPlusAttachmentsBlocked' { 'Read Only Plus Attachments Blocked (cannot see attachments)' }
94+
}
95+
Write-LogMessage -API 'Standards' -tenant $Tenant -message "OWA attachment restrictions are correctly set to: $PolicyDescription" -sev Info
96+
} else {
97+
$CurrentDescription = switch ($CurrentPolicy.ConditionalAccessPolicy) {
98+
'ReadOnly' { 'Read Only (view/edit via Office Online, no download)' }
99+
'ReadOnlyPlusAttachmentsBlocked' { 'Read Only Plus Attachments Blocked (cannot see attachments)' }
100+
$null { 'Not configured (full access to attachments)' }
101+
default { $CurrentPolicy.ConditionalAccessPolicy }
102+
}
103+
104+
$RequiredDescription = switch ($Settings.ConditionalAccessPolicy.value) {
105+
'ReadOnly' { 'Read Only (view/edit via Office Online, no download)' }
106+
'ReadOnlyPlusAttachmentsBlocked' { 'Read Only Plus Attachments Blocked (cannot see attachments)' }
107+
}
108+
109+
$AlertMessage = "OWA attachment restrictions are set to '$CurrentDescription' but should be '$RequiredDescription'"
110+
Write-StandardsAlert -message $AlertMessage -object @{
111+
CurrentPolicy = $CurrentPolicy.ConditionalAccessPolicy
112+
RequiredPolicy = $Settings.ConditionalAccessPolicy
113+
PolicyName = $CurrentPolicy.Name
114+
CurrentDescription = $CurrentDescription
115+
RequiredDescription = $RequiredDescription
116+
} -tenant $Tenant -standardName 'OWAAttachmentRestrictions' -standardId $Settings.standardId
117+
Write-LogMessage -API 'Standards' -tenant $Tenant -message $AlertMessage -sev Info
118+
}
119+
}
120+
121+
if ($Settings.report -eq $true) {
122+
if ($StateIsCorrect) {
123+
Set-CIPPStandardsCompareField -FieldName 'standards.OWAAttachmentRestrictions' -FieldValue $true -TenantFilter $Tenant
124+
Add-CIPPBPAField -FieldName 'OWAAttachmentRestrictions' -FieldValue $true -StoreAs bool -Tenant $Tenant
125+
} else {
126+
$ReportData = @{
127+
CurrentPolicy = $CurrentPolicy.ConditionalAccessPolicy
128+
RequiredPolicy = $Settings.ConditionalAccessPolicy.value
129+
PolicyName = $CurrentPolicy.Name
130+
IsCompliant = $false
131+
Description = 'OWA attachment restrictions not properly configured for unmanaged devices'
132+
}
133+
Set-CIPPStandardsCompareField -FieldName 'standards.OWAAttachmentRestrictions' -FieldValue $ReportData -TenantFilter $Tenant
134+
Add-CIPPBPAField -FieldName 'OWAAttachmentRestrictions' -FieldValue $ReportData -StoreAs json -Tenant $Tenant
135+
}
136+
}
137+
}

0 commit comments

Comments
 (0)