On February 20, I wrote about the topic of generating corporate auto-signatures for OWA. It is easy to create good-looking autosignatures and store them in user mailboxes for OWA to apply (Outlook is a different proposition). The logical question that follows is how to stop users changing their corporate-generated autosignature?
Historically, Role-based access control (RBAC) has been the go-to method when control is needed over an OWA feature. Microsoft introduced RBAC to Exchange 2010 as the control mechanism for access to features. RBAC is used today in both Exchange Online and Exchange on-premises and variations are used to control access to options in admin portals like the Microsoft 365 admin center and Microsoft 365 compliance center.
OWA and RBAC
Settings in a user role assignment policy control the elements of the user interface OWA displays to mailboxes covered by the policy. Basically, if the policy allows OWA to display the user interface for users to edit and save their autosignature, they see the option in OWA settings (Figure 1). But if we change the policy to remove the ability to update signatures, they won’t.
Figure 1: OWA settings to create and update a mailbox autosignature
User Role Assignment Policies
Office 365 tenants come with an out-of-the-box user role assignment policy (called “Default Role Assignment Policy”) which enables access to all OWA settings. Mailboxes are assigned this policy by default unless an administrator changes the assignment.
You can edit the default role assignment policy to remove access to autosignatures, but it’s usually a better idea to create a new role assignment policy and edit that, just in case you make a mistake and remove access some features that you want to keep.
Tailoring Roles
Before we create a new policy, we must create a new RBAC role to block autosignatures. Exchange breaks down the ability of users to access OWA features into a set of roles, assembled to form a policy. Each role is composed of a set of role entries. Think of a role entry as a definition of a PowerShell cmdlet and its parameters. Once a user is assigned a role, they can run the cmdlets defined in the role entries. For instance, if a role entry includes the Set-Mailbox cmdlet and some (but maybe not all) of its parameters, the user can run Set-Mailbox and use the set of allowed parameters. They run the cmdlet by using an OWA option or in PowerShell.
The connection between RBAC and cmdlets means that we must know what cmdlet is used to update autosignatures if we want to block it. As explained in my previous article, the Set-MailboxMessageConfiguration and several of its parameters are used to manipulate autosignatures. To stop users updating autosignatures, we must remove their access to those parameters.
Creating a Customized Role
The two commands shown below create a new management role based on the out-of-the-box MyBaseOptions role (which control many OWA settings). The new management role inherits all the settings from MyBaseOptions, so we then amend the settings by removing the parameters used by Set-MailboxMessageConfiguration to update autosignatures.
When users are assigned a policy containing the customized role, they will be unable to update signatures. However, we need to take one more step to stop OWA displaying the user interface for signatures. We do this by removing the right to run the Get-MailboxMessageConfiguration cmdlet. Without this cmdlet, OWA can’t fetch details of existing autosignature settings from the mailbox. Here’s the code to remove the entry from the role:
To make the new role effective, we must include it in a user role assignment policy and assigned to mailboxes. This code creates a new policy composed of our customized role and all the other default roles normally assigned to users through a policy. For instance, the MyProfileInformation role allows users to edit details of their profile while MyDistributionGroups allows users to create and edit distribution lists.
The block should become effective 15 minutes or so after the mailbox is updated with the new role assignment policy. Log into the mailbox with OWA and open the options pane. Select the View all Outlook settings link to open the fly-out window with access to all settings and go to the Compose and reply section. You should see that OWA can no longer edit the autosignature settings (Figure 2).
Figure 2: No signature settings available in OWA
The Downside of Removing the Get-MailboxMessageConfiguration Cmdlet
Eagle-eyed readers will notice that some other settings have disappeared from the Compose and reply section. This is because the Get-MailboxMessageConfiguration cmdlet returns many settings like the message format to use for new messages, the font and font size to use, and the color of text. Settings are also affected in other sections, like Layout (message organization). When you remove the ability of a user to run Get-MailboxMessageConfiguration, they lose access to everything the cmdlet returns, not just autosignatures.
The same problem would not arise if OWA used Set-MailboxMessageConfiguration to control the display of the autosignature setting. Set-MailboxMessageConfiguration is a granular cmdlet with individual parameters to control different settings, so you can trim parameters to control access to specific settings.
OWA Mailbox Policy Solves the Problem
Although RBAC doesn’t work as well as expected, OWA mailbox policies are another way to tackle the problem. OWA mailbox policies control many (but not all) aspects of how the client work. You can work with OWA mailbox policies through the Permissions section of the Exchange admin center (EAC) or PowerShell. Figure 3 shows how to disable autosignatures by unchecking the email signature box in the features section of a policy. You can either update an existing OWA mailbox policy or create a new one (better for testing).
Figure 3: Disabling OWA signatures with an OWA mailbox policy
If you want to use PowerShell, you need to set SignaturesEnabled to $False in the policy. Here’s how to create and update an OWA mailbox policy with PowerShell:
New-OWAMailboxPolicy -Name "Block Access to autosignatures"
Set-OWAMailboxPolicy -Identity "Block Access to autosignatures" -SignaturesEnabled $False
Whether you use EAC or PowerShell to block signatures in an OWA mailbox policy, don’t forget to assign the modified policy to the mailboxes you want to control. You can assign the policy by updating mailbox properties with EAC, but it’s likely that you’ll want to update multiple mailboxes and that’s when PowerShell shines. The command to assign an OWA mailbox policy to a mailbox is:
Set-CASMailbox -Identity Kim.Akers -OWAMailboxPolicy "Block Access to autosignatures"
Again, wait for 15 minutes to allow the Exchange Online servers to pick up the new policy and then test that the block is effective.
The OWA mailbox policy is enough to block users from changing autosignatures. You don’t need to update RBAC role assignments unless you also want to stop users running the Set-MailboxMessageConfiguration cmdlet in a PowerShell session. You can make your mind up how likely it is that users will decide to master PowerShell to mess with corporate autosignatures.
RBAC Fails but Another Method Succeeds
RBAC is a powerful mechanism for controlling user access to individual features. In Exchange Online, RBAC depends on the underlying cmdlets and parameters. Usually, RBAC is the best way to stop user access to features, but in this situation, the limitations of the Get-MailboxMessageConfiguration cmdlet created some unfortunate side-effects when implementing a block on autosignatures. Fortunately, OWA mailbox policies came to the rescue and implemented the block we wanted.
This is an example of how the probing minds of the Office 365 for IT Pros writing team tease out issues. Benefit from their work by subscribing to the Office 365 for IT Pros eBook!
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
One Reply to “Stopping Users Updating OWA Autosignatures”