How to apply Outlook web app mailbox policies
Last updated on:In this page
An Outlook web app mailbox policy (previously known as an OWA mailbox policy) functions as a configuration template that determines which features are available to users when they access their email via the web. Rather than managing settings individually, administrators use these policies to enable or disable capabilities—such as text messaging, instant messaging, and file access—for specific users or groups. This ensures a consistent experience and efficient management of web-based email features across the organization.
For admins, managing these assignments manually for each user is inefficient. Without a streamlined method to assign Outlook mailbox policies to user accounts, ensuring consistency across departments becomes difficult. This article explains how to assign Outlook web app mailbox policies to users in Exchange Online using the Exchange admin center and Exchange Online PowerShell.
- M365 admin center
- Graph PowerShell
Method 1: How to apply Outlook policies using the Exchange admin center
Prerequisites
You need the Exchange Administrator role for the account you use to sign in to the Exchange admin center.
Steps
- Log in to the Exchange admin center.
- Navigate to Recipients > Mailboxes and click a mailbox.
- Click Manage email apps settings under Email apps & mobile devices.
- Type the name of the Outlook web app mailbox policy you want to apply and click it. To remove an existing Outlook policy, click the X button next to it.
- Click Save.
A limitation to consider
The Exchange admin center only allows you to edit the Outlook web app mailbox policy of one mailbox at a time. You have to use Exchange Online PowerShell to apply an Outlook web app mailbox policy to multiple users at once.
Method 2: How to apply Outlook policies using Exchange Online PowerShell (Set-CASMailbox)
Prerequisites
Before using Exchange Online PowerShell, please verify that:
- The Exchange Administrator role is applied to the account you use to sign in to Exchange Online PowerShell.
- You are connected to the Exchange Online PowerShell module.
- To check if the Exchange Online PowerShell module is installed, use this script:
Get-Module -ListAvailable ExchangeOnlineManagement - If the script does not return a value, you will have to install the module. To install the Exchange Online PowerShell module, execute this script:
Install-Module ExchangeOnlineManagement -Scope CurrentUser - To connect to Exchange Online PowerShell, run this script:
Connect-ExchangeOnline
- To check if the Exchange Online PowerShell module is installed, use this script:
Using Set-CASMailbox to assign Outlook web app mailbox policies
The Set-CASMailbox cmdlet can be used to enable or disable certain Exchange Online features that provide users with different ways to access their mailboxes.
Use the Set-CASMailbox cmdlet to assign a specific Outlook web app mailbox policy to a user:
Set-CASMailbox -Identity user@domain.com -OwaMailboxPolicy "PolicyName"
Scenario: Assign a restrictive Outlook web app mailbox policy in bulk to a department
An IT administrator needs to apply a restrictive Outlook policy to all users in the Interns department to disable instant messaging and file sharing.
They use the following script to find the users in the department and assign the Outlook web app mailbox policy to user mailboxes in the Interns department in bulk:
$Users = Get-User -ResultSize Unlimited -Filter "Department -eq 'Interns'"
$Users | ForEach-Object {
Set-CASMailbox -Identity $_.UserPrincipalName -OwaMailboxPolicy "RestrictedOWAPolicy"
}
Supported parameters
The following table contains parameters relevant to managing Outlook policies via Exchange Online PowerShell:
| Parameter | Description |
|---|---|
| Identity | This is the user mailbox to which you are assigning the policy |
| OwaMailboxPolicy | This specifies the name of the policy you want to assign (e.g., OwaMailboxPolicy-default) |
| OwaEnabled | This enables or disables Outlook on the web access entirely for the mailbox |
Validation: How to ensure your Outlook web app mailbox policies are applied
Use the Get-EXOCASMailbox cmdlet to verify which Outlook web app mailbox policy is assigned to a user:
Get-EXOCASMailbox -Identity <UserPrincipalName> | Select-Object Identity, OWAMailboxPolicy
You can also check the email apps settings of each mailbox in Exchange Online for the Outlook web app mailbox policy applied to it.
Manage your Exchange Online protocols and more
While native admin centers and Graph PowerShell scripting can help you assign Outlook web app mailbox policies to your mailboxes, you either need a great deal of patience to make changes to mailboxes one by one or extensive knowledge of PowerShell scripting to carry out your complex and bulk operations. This is where ManageEngine M365 Manager Plus helps you simplify your Microsoft 365 administration.
M365 Manager Plus is a comprehensive administration and security solution for Microsoft 365. It is used for reporting on, managing, monitoring, auditing, and creating alerts for critical activities in your Microsoft 365 environment.
M365 Manager Plus' mailbox management capabilities help you view, monitor, and modify Exchange Online mailbox properties like the mailbox quotas, archive status, and inbox rules. You can carry out complex tasks like configuring retention policies, converting mailboxes, and more with just a series of clicks. Instead of juggling scripts or exporting raw data for manual filtering, you can use M365 Manager Plus' ready-to-use reports and easy scheduling.
Bulk mailbox management
Handle large-scale mailbox actions, such as enabling features, updating settings, or modifying permissions, through simple, GUI-driven operations—no scripts and no manual, repetitive tasks.
Reports on Microsoft 365 mailboxes
Access ready-made reports that cover the mailbox size, activity, mailbox features, license usage, storage trends, permission assignments, and more. Get the insights you need without digging through multiple admin centers.
Real-time alerts on mailbox changes
Perform mailbox audits, configuration checks, and bulk updates without relying on cmdlets or scripting expertise. One-click actions reduce errors and make mailbox administration far more manageable.
Eliminate PowerShell complexityEliminate PowerShell complexity
Set up proactive alerts for mailboxes reaching or exceeding storage limits. Get notified before users encounter send or receive disruptions, enabling administrators to take timely action by expanding quotas or activating archives.
Important tips
Secure the default Outlook web app mailbox policy: When a new mailbox is created, the OwaMailboxPolicy-default mailbox policy is applied automatically unless you specify otherwise. Ensure this default policy is configured securely.
Audit Exchange Online features: Regularly review which users are assigned highly privileged Outlook web app mailbox policies and which users have legacy protocols such as Exchange ActiveSync enabled in order to prevent data leakage via unmonitored features like file sharing.
Control offline access: Manage offline access settings within the policy to prevent email data from being cached on devices that might not be secure.
Frequently asked questions
An Outlook web app mailbox policy (or Outlook on the web mailbox policy) is a collection of settings that controls the availability of specific features in Outlook on the web. It enables administrators to standardize settings, such as file access types and offline availability, for different groups of users without configuring each mailbox individually.
The Set-OwaMailboxPolicy cmdlet is used to configure the actual settings inside the policy (e.g., allowing or blocking instant messaging). The Set-CASMailbox cmdlet is used to assign that policy to a specific user mailbox.
You can revert a user account to the default settings by running the following PowerShell command:
Set-CASMailbox -Identity user@domain.com -OwaMailboxPolicy "OwaMailboxPolicy-Default"
Yes. Instead of applying a policy, you can disable the protocol by using the Exchange admin center or by using the following command:
Set-CASMailbox -Identity user@domain.com -OwaEnabled $false.
No. Outlook web app mailbox policies apply only to Outlook on the web. They do not modify settings for the Outlook desktop app, the Outlook mobile app, or ActiveSync.
Yes—but the Outlook web app mailbox policy only affects sign-ins to Outlook on the web. Shared mailboxes typically do not sign in directly, but if they are licensed or converted to user mailboxes, the policy becomes relevant.
Deleting an assigned Outlook web app mailbox policy causes the affected mailboxes to inherit the tenant’s default Outlook behavior until a new policy is explicitly assigned. This may unintentionally re-enable restricted features. Always reassign users to a replacement policy before deleting the old policy.