Let’s discuss Control Windows Apps Access Email to Prevent Data Leakage using Intune. Microsoft Intune’s Let Apps Access Email policies’ primary function is to control whether Universal Windows Platform (UWP) apps and other Windows apps have permission to access the user’s email data on the device.
With this policy You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.
Configuring this policy provide many advantages for users, admins and organization. Admins can configure the policy as enable or disable according to the preferences. Productivity and user experience can be enhanced with Windows Apps Access Email policy.
Admins can ensure that employees only use approved, managed email clients (like the corporate version of Outlook, which has its own App Protection Policies) for work communication, maintaining control and auditability.
Table of Contents
Control Windows Apps Access Email to Preventing Data Leakage using Intune
An organization sets the policy to Force Deny for all apps. An employee downloads a free, simple “Mail Organizer” app from the Microsoft Store. The app cannot read or access the corporate email, even if the user tries to grant it permission.
An organization uses a specialized, security-vetted Internal Help Desk Tool that needs to scan incoming support emails to automatically create tickets. The IT team retrieves the Package Family Name and sets a Force Allow override only for this specific, trusted app.
- How to Unblock Email Access using MS Defender Web Protection option
- Enable Disable Show Account Email Address on Sign-in Screen in Windows 11 Using Group Policy Intune
- Use Power Automate to Import Autopilot Devices Hash via eMail for Intune Engineers
Steps to Configure Policy
By sign in to Microsoft Intune Admin center you can easily configure Super Drag Drop in Microsoft Edge policy. Go to the Intune Admin Center portal. Go to Devices > Windows > Configuration > Create > New Policy.
Profile Creation of Policy
After that, you can Create a Profile for the policy which you want to configure. To create a profile you have to select platform and profile type. Here I selected Windows 10 and later as the Platform and Settings catalog as the profile type. Then click on the Create button.
Filling Basic Details
On the Basic tab you can add Name and Description for the policy for further reference. The Name field is necessary to identify the purpose of the policy and description shows more information. The Name is mandatory and if you like to add description you can add. Click on the Next Button.
Configure the Super Drag Drop in Microsoft Edge
The Configuration settings page is provided to select the settings to create the policy. The Settings Catalog provides a huge number of settings. To select a settings click on the +Add settings hyperlink. Then you will get Settings Picker. Choose Privacy and select Let Apps Access Email. Then I close the Settings Picker.
Available Values in Windows Apps Access Email
There are 3 values available for this policy. Each values can be choosed according to your organizational preferences. The below table shows the values and Details.
| Values | Details |
|---|---|
| User is in control | If you choose the “User is in control” option, employees in your organization can decide whether Windows apps can access email by using Settings > Privacy on the device. |
| Force Allow | If you choose the “Force Allow” option, Windows apps are allowed to access email and employees in your organization can’t change it. |
| Force Deny | If you choose the “Force Deny” option, Windows apps aren’t allowed to access email and employees in your organization can’t change it. |
| disable or don’t configure | If you disable or don’t configure this policy setting, employees in your organization can decide whether Windows apps can access email by using Settings > Privacy on the device. |
Scope Tags
By using scope tags you can restrict the visiblity of Windows Apps Access Email Settings. It is helps to organize resources as well. Here I would like to skip this section, because it is not mandatory. Click on the Next button.
Assign this Policy to Specific Groups
To assign the policy to specific groups you can use Assignment Tab. Here I click, +Add groups option under Included groups. I choose a group from the list of group and Click on the Select button. Again I click on the Select button to continue.
Final Step of Policy Creation
To complete the policy creation you can review all the policy details on the Review + create tab. It helps to avoid mistakes and successfully configure the policy. After varifying all the details click on the Create Button. After creating the policy you will get success message.
Monitoring Status
The Monitoring Status page shows whether the policy has succeeded or not. To quickly configure the policy and take advantage of the policy sync, the device on the Company Portal, Open the Intune Portal. Go to Devices > Configuration > Search for the Policy. Here, the policy shows as successful.
Client Side Verification with Event Viewer
If you get success message, that doesn’t means you will get the policy advanatges. To varify the policy successfully configured to client device check the Event Viwer.
- Open Event Viewer: Go to Start > Event Viewer.
- Navigate to Logs: In the left pane, go to Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin.
- Filter for Event ID 813: This will help you quickly find the relevant logs.
Removing the Assigned Group from Windows Apps Access Email
If you want to remove the Assigned group from the policy, it is possible from Intune Portal. To do this open the Policy on Intune Portal and Edit the Assignments tab and Remove the Policy.
To get more detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.
How to Delete Windows Apps Access Email
You can easily delete the Policy from Intune Portal From the Configuration section you can delete the policy. It will completely remove from the client devices.
For detailed information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.
CSP Details
The policy setting determines the default access level for Windows apps to a user’s email data. This policy is applicable for Windows 10, version 1607 [10.0.14393] and later.
Description Framework Properties
The Description framework properties of Windows Apps Access Email Policy shows the Property name Property value. The below table shows more details.
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: ;) |
Group Policy Mapping
If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.
| Name | Value |
|---|---|
| Name | LetAppsAccessEmail |
| Friendly Name | Let Windows apps access email |
| Element Name | Default for all apps. |
| Location | Computer Configuration |
| Path | Windows Components > App Privacy |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy |
| ADMX File Name | AppPrivacy.admx |
OMA URI Settings
It can be easily configured throug CSP. You can create OMA URI Settings by Sign in Intune Portal. Devices > Configuration. Click on Create to start a new policy. Choose the platform as Windows 10 or later. For the Profile type, select Templates, then choose Custom. Provide a name for the policy, such as Enable Device Enumeration Policy and add a description if needed.
- Click on + Add under OMA-URI Settings to configure the specific setting.
- To Configure the OMA-URI Setting Enter Name and Description
- Enter the following OMA-URI path:
- ./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessEmail
- Enter the value
- 1 Force allow.
- 0(Default) User in control.
- 2 Force deny
- After entering the above details, click the Save button.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Entra, Microsoft Security, Career, etc.