Use a Conditional Access Policy to Block Access to OWA Instead of CAS Settings

Microsoft has updated its advice about how to disable access to OWA while retaining access to the new Outlook for Windows. The update is in MC922623, originally published in October 2024 and updated on 28 July 2025. In a nutshell, Microsoft recommends using a conditional access policy to block access to OWA rather than the mailbox-level OWAEnabled CAS (Client Access Server) setting in CAS.

Apart from the need to deploy Entra P1 licenses, that advice seems straightforward enough. But there are some issues to understand before rushing to deploy a new conditional access policy. Let’s discuss two important points.

Two CAS Settings

The first thing is that there’s actually two policy settings to consider: OWAEnabled and OneWinNativeOutlookEnabled (discussed in this article). Both settings need to be $true in the OWA mailbox policy assigned to user accounts to allow the new Outlook for Windows to load. It seems strange to have two settings, but it’s due to the technical debt accrued over the years managing OWA in Exchange Server and Exchange Online and the need to provide a control to deal with a new client. The fact that OWA and “Monarch” (the new Outlook for Windows) share a lot of code doesn’t help in some respects.

For the purpose of this debate, both OWAEnabled and OneWinNativeOutlookEnabled should be left as $true. In MC922623, Microsoft says keeping both settings at $true will have “no impact on users’ ability to access outlook for the web since the work was already done to block Outlook for the web with another policy.”

Well, that’s not strictly true (no pun intended). For instance, setting OWAEnabled to $false and OneWinNativeOutlookEnabled to $true might seem like the way to block OWA and allow the new Outlook. However, although this configuration blocks OWA, it also stops the new Outlook from being able to download or send messages. Another side-effect (aka, a bug) is that creating a message makes Outlook create multiple copies of the message in the Drafts folder. Overall, it’s best to play safe and ensure that both are kept at $true.

Updated CAS settings can take up to 15 minutes before they are effective.

The Conditional Access Policy to Block OWA

The reference in MC922623 to ”work done to block OWA” is to the conditional access policy (see instructions in the link above). What’s happening here is that Entra ID invokes the conditional access policy as part of its processing of inbound connections. If the inbound connection requests to use Office 365 Exchange Online (the app used by OWA – Figure 1), Entra ID can refuse the connection because the conditional access policy is configured to block OWA. The connection therefore terminates and never gets to Exchange Online for that server to process the connection and check the CAS mailbox settings to determine if mailbox access is permitted with the client.

The downside of using a conditional access policy is that blocking access to the Office 365 Exchange Online app also stops the Teams browser client working (the Teams desktop app continues to work because it uses a different app). I think the reason why this happens is that the Teams browser app shares some components with OWA (like the calendar). Entra ID sees an inbound connection attempting to use an OWA component and terminates the connection in line with the conditional access policy. The dependency of Teams on Exchange Online is listed in Microsoft’s service dependency for conditional access policies guidance.

The nice thing about conditional access policies is that updated settings or new policies become effective almost immediately (Figure 2). Immediacy can also be a bad thing if you make a mistake and lock yourself out of the tenant.

Sometimes Hard to Have Clean Lines in Microsoft 365

The complex interconnected nature of Microsoft 365 sometimes makes it difficult to have nice clean demarcations between applications and workloads. The complex interconnected nature of Microsoft 365 sometimes makes it difficult to have nice clean demarcations between applications and workloads. As we see here, blocking one app with a conditional access policy can have unexpected consequences for other apps.

It’s nice to have choices in how to manage clients, and it makes sense to use a conditional access policy if you have Entra P1 licenses and you can accept the downside of losing Teams browser access. Otherwise, stay with the CAS settings and block access the old way.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365. Only humans contribute to our work!