Overview: Managing the New Outlook for Windows

The transition to the new Outlook for Windows introduces a unified management framework that aligns the desktop experience more closely with Outlook on the web (OWA). For IT Administrators, this means that policy enforcement is primarily handled through a combination of Exchange Online PowerShell cmdlets and the Microsoft 365 Cloud Policy Service.

These policies are designed to safeguard corporate data, standardize user interfaces, and ensure regulatory compliance across the organization. Because the new Outlook shares a core architecture with OWA, most mailbox-level policies applied to one will automatically affect the other. A critical concept in this new ecosystem is the Primary Account—the initial account added to the application—which dictates app-wide configurations such as diagnostic data levels, themes, and general appearance settings.

Key Technical Details

1. Account Provisioning and Restrictions

• Automated Primary Account Configuration: To streamline deployment on managed endpoints, admins can force the Primary Account to match the user’s Windows sign-in identity. This ensures that corporate policies are the foundation of the app experience.
  • Intune: Navigate to Apps > Policies for Microsoft 365 apps and enable “Require the Primary Account to match the Windows signed-in account.”
  • Registry: Set HKEY_CURRENT_USERSoftwarePoliciesMicrosoftoffice16.0outlookoutlookforwindowsprimaryaccountmustmatchdevicesigninaccount to 1.
• Restricting Personal Accounts: To prevent data leakage, admins can block the addition of personal accounts (Outlook.com, Gmail, etc.) using:

  Set-OwaMailboxPolicy -Identity [PolicyName] -PersonalAccountsEnabled $false.

• Domain Whitelisting: Limit account additions to specific corporate domains using the -AllowedOrganizationAccountDomains parameter in Set-OwaMailboxPolicy.

2. Mailbox Feature Governance (PowerShell)

Most granular user interface and functionality toggles are managed via Exchange PowerShell. Key cmdlets include:

• Focused Inbox: Use Set-OrganizationConfig -FocusedInboxOn $false to disable this feature globally, though users may still have the option to toggle it individually unless further restricted.
• Offline Functionality: Control whether the new Outlook can be used without an active internet connection via the -OfflineEnabledWin parameter in Set-OwaMailboxPolicy.
• Attachment Handling: Define safe file interactions using -AllowedFileTypes and -BlockedFileTypes. Additionally, -AdditionalStorageProvidersAvailable can disable third-party cloud storage like Google Drive or Dropbox.
• Security & Junk Mail: Admins can manage safelists and blocklists at the mailbox level using Set-MailboxJunkEmailConfiguration to maintain a strict security posture.
• Digital Signatures: Prevent users from modifying or creating manual signatures by setting -SignaturesEnabled $false within the OWA Mailbox Policy.

3. Cloud Policy and Privacy Controls

Features that integrate across the broader Microsoft 365 suite are managed via the Microsoft 365 Apps admin center (Cloud Policy):

• Microsoft Loop: Control the insertion and sync of portable Loop components.
• Diagnostic Data & Connected Experiences: Manage privacy-related telemetry and cloud-backed features (like location suggestions) through centralized privacy policies.
• Support & Feedback: Admins can suppress the “Contact Support” option or the “In-product feedback” prompts to streamline internal helpdesk workflows.

4. Legacy Integration and PST Management

• Classic Outlook Toggle: To prevent premature migration, admins can hide the “Try the New Outlook” toggle in classic Outlook via specific registry keys or Cloud Policies.
• PST Support: While the new Outlook supports .pst files by default, this can be restricted using the -OutlookDataFile parameter in Set-OwaMailboxPolicy for the primary account.
• Universal Outlook Blocking: To prevent the use of the built-in Windows Mail/Calendar apps, use Set-CASMailbox -Identity [User] -UniversalOutlookEnabled $false.

Impact on Administrators and Users

• For IT Administrators: Centralization is the primary benefit. By leveraging existing OWA policies, admins gain a “configure once, deploy everywhere” capability. However, it requires a shift in mindset regarding “App-wide” vs. “Account-wide” settings, as the Primary Account holds significant weight over the overall application behavior.
• For End Users: Users experience a highly standardized environment. On managed devices, the automated sign-in reduces friction during onboarding. Conversely, the restriction of personal accounts and specific storage providers ensures a clear boundary between professional and personal data.