Public attachment handling in Exchange Online
Applies to: Exchange Online
Topic Last Modified: 2013-10-29
As an admin, you can set up both private and public attachment handling in Outlook Web App depending on how you configure your Outlook Web App mailbox policies. The settings for private (internal) and public (external) networks define how users can open, view, send, or receive attachments depending on whether a user is signed in to Outlook Web App on a computer that is part of a private or of a public network.
Although there are both private (internal network) and public (external network) settings to control attachments using Outlook Web App mailbox policies, admins require more consistent and reliable attachment handling when a user signs in to Outlook Web App from a computer on a public network such as at a coffee shop or library. To set up the ability to enforce attachment handling from external networks for an entire organization in Exchange Online, first use the Set-OrganizationConfig cmdlet, set the PublicComputersDetectionEnabled parameter to $true, configure the correct Outlook Web App mailbox policy either by using the Exchange Admin Center (EAC) or the Set-OwaMailboxPolicy cmdlet and create claim rules in AD FS. Enabling this setting the on the Set-OrganizationConfig cmdlet and creating the claim rules will enable Exchange Online to tell if a user is signing in to Outlook Web App from a private and public network or computer.
The Outlook Web App mailbox policy parameters in the following table should be set to $true to enable an admin to control attachment handling for public computers and networks.
| Shell parameter | Description |
|---|---|
| DirectFileAccessOnPublicComputersEnabled | Specifies left-click and other options available for attachments when the user has signed in to Outlook Web App from a computer outside of a private or corporate network. If this parameter is set to |
| ForceWacViewingFirstOnPublicComputers | Specifies whether a user who signed in to Outlook Web App from a computer outside of a private or corporate network can open an Office file directly without first viewing it as a webpage. |
| ForceWebReadyDocumentViewingFirstOnPublicComputers | Specifies whether a user who has signed in to Outlook Web App can open a document directly without first viewing it as a webpage. |
| WacViewingOnPublicComputersEnabled | Specifies whether a user who has signed into Outlook Web App from a computer outside of the corporate network can view supported Office files using Outlook Web App. |
| WebReadyDocumentViewingOnPublicComputersEnabled | Specifies whether WebReady Document Viewing is enabled when the user has signed in from a computer outside of the corporate network. |
-
Procedures in this topic require specific permissions. See each procedure for its permissions information.
-
Enable Outlook Web App on a user’s mailbox if it has been disabled.
-
Verify that cookies have been enabled in the Web browser for all of the users in your organization.
-
Set up and configure single sign on using AD FS:
-
To learn how to use Windows PowerShell to connect to Exchange Online, see Connect to Exchange Online using remote PowerShell.
-
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.
 Tip: |
|---|
| Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.. |
Run the following command: Set-OrganizationConfig -PublicComputersDetectionEnabled $true
 Note: |
|---|
Setting this parameter to $true won’t affect the settings for the following parameters:
|
You must create a custom claim rule because an AD FS server relies on the presence of the x-ms-proxy claim to detect whether user is coming from an internal or external network. When an AD FS proxy is deployed for external or public access, and if the user is coming from outside a private network, there will be an x-ms-proxy claim sent from AD FS proxy to an AD FS server. To learn more about claim rules in AD FS, see Create a Rule to Send Claims Using a Custom Rule
-
On the Start Screen, type AD FS Management, and then press Enter.
-
In AD FS console tree, under AD FS\Trust Relationships > Relying Party Trusts and select Windows Azure Active Directory.
-
In Windows Azure Active Directory, click Edit Claim Rules > Add Rule > Issuance Transform Rules.
-
On the Select Rule Template page, under Claim rule template, select Send Claims Using a Custom Rule from the list, and then click Next.
-
On the Configure Rule page under Claim rule name type the display name for this rule.
-
Under Custom rule, input the following:
exists ([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) => issue(Type = "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value = "false");NOT exists ([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) => issue(Type = "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value = "true"); -
Click Finish.
-
In the Edit Claim Rules dialog box, click OK to save the rule.
-
In the EAC, click Permissions > Outlook Web App policies.
-
In the result pane, click the mailbox policy you want to view or configure, and click Edit.
-
On File Access, use the check boxes to configure the file access and viewing options for users. File access lets a user open or view the contents of files attached to an email message.
File access can be controlled based on whether a user has logged on to a public or private computer. The option for users to select private computer access or public computer access is available only when you’re using forms-based authentication. All other forms of authentication default to private computer access.
-
Direct file access Select this check box if you want to enable direct file access. Direct file access lets users open files attached to email messages.
-
WebReady Document Viewing Select this check box if you want to enable supported documents to be converted to HTML and displayed in a web browser.
-
Force WebReady Document Viewing when a converter is available Select this check box if you want to force documents to be converted to HTML and displayed in a web browser before users can open them in the viewing application. Documents can be opened in the viewing application only if direct file access has been enabled.
-
-
Click Save to update the policy.
Run the following command: Set-OwaMailboxPolicy -id MyOWAPublicPolicy -DirectFileAccessOnPublicComputersEnabled $true -ForceWacViewingFirstOnPublicComputers $true -WacViewingOnPublicComputersEnabled $true -WebReadyDocumentViewingOnPublicComputersEnabled $true
An attachment can be a file that's created in any program, for example, a Word document, an Excel spreadsheet, a .wav file, or a bitmap file. Users can attach or include one or more files on any item that they create in their mailbox, for example, an email message, calendar item, or contact. Outlook Web App allows you to send and receive many common files types. Continuously
Some attachments might be removed or blocked by antivirus software used by your organization, by the organization of the recipients of your email, or you might be required to save them on your computer before you can open them. By default, Outlook Web App allows you to open attached Word, Excel, PowerPoint, text files and many media files directly. The files you can open from Outlook Web App vary depending on your account settings. The following table lists the default file name extensions that you can open in Outlook Web App.
| File name extensions allowed by default | .rpmsg, xls, .xlsx, .xlsm, .xlsb, .pptx, .pptm, .ppsx, .ppsm, .doc, .docx, .docm, .xls, .wmv, .wma, .wav, vsd, .txt, .tif, .rtf, .pub, .ppt, .png, .pdf, .one, .mp3, .jpeg, .gif, .doc, .bmp, .avi |
