OWA’s ThirdPartyFileProvidersEnabled Setting

Do You Really Want OWA Users to Access Third Party File Providers?

Those who browse the deep recesses of Microsoft documentation often find unannounced pleasures awaiting their delight. Such is the case of Set-OWAMailboxPolicy, where the ThirdPartyFileProvidersEnabled setting is documented. Despite the best efforts of Vasil Michev (the esteemed technical editor of the Office 365 for IT Pros eBook), the setting seems to be not well known. It deserves more.

By default, the setting is false, which means that OWA users can’t access third-party file providers like Box, Google Drive, or Dropbox to upload attachments. Before users can access a third-party file provider, they must authenticate their account (including an MFA challenge if MFA is enabled for the account) and give access to OWA.

Completing the verification process to allow OWA to access Google Drive
Completing the verification process to allow OWA to access Google Drive

Once the connection is made between the third-party file provider and OWA, the user can browse for attachments. Here’s what it looks like for a Dropbox account.

Selecting Dropbox files to attach to an OWA message
Selecting Dropbox files to attach to an OWA message

Goodness and Badness

There’s goodness and badness in allowing users to access third-party file providers. It’s good that they attach files stored in the providers to bring them into Exchange Online and so expose the content to Office 365 data governance. It’s bad if it encourages the long-term use of third-party file providers for business information. Each organization will have to make up its mind how to handle the situation and decide if they want to enable access to other file services.

Discovering Who Can Use Third-Party File Providers

To check what OWA mailbox policies allow access to third-party file providers, use the command:

Get-OwaMailboxPolicy | Format-Table Name, ThirdPartyFileProvidersEnabled

Name                       ThirdPartyFileProvidersEnabled
----                       ------------------------------
OwaMailboxPolicy-Default                             True
Restricted Download Access                          False
OWAFullAccess                                        True
NoOfflineAccess                                      True

We can see that three of the OWA mailbox policies allow third-party file providers. To discover the mailboxes covered by these policies, use the command:

Get-Mailbox -RecipientTypeDetails UserMailbox | Get-CasMailbox |? {$_.OWAMailboxPolicy -ne "Restricted Download Access"} | Format-Table DisplayName

We use Get-Mailbox to feed a filtered list of user mailboxes (excluding room, shared, discovery, and resource mailboxes) to Get-CasMailbox, check what OWA mailbox policy applies to each , and output a list of names. Simple!

For more information about OWA (but not third-party file providers), see Chapter 10 of the Office 365 for IT Pros eBook.

5 Replies to “OWA’s ThirdPartyFileProvidersEnabled Setting”

  1. We’re actually using AirWatch MDM and the Outlook for iOS configuration settings can be locked down to not allow allow adding a personal email account using the configuration string IntuneMAMAllowedAccountsOnly with IntuneMAMUPN which seems to work for blocking a user adding a personal email account. But it does not lock down adding 3rd party storage services like Box, DropBox, Google Drive, ideally we do not want these to even appear in the list of options. It’s possible to integrate AirWatch with Intune app protection policies but could not see how to do it with those.

    1. From the Intune people:

      Yes, an Intune app protection policy configured with “Send org data to other apps” will prevent the scenario or ensure if the data gets transferred that it is encrypted and inaccessible on the third-party storage platform. They can also use the “Save copies of Org data” setting to prevent data being saved to the local device.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.