MVPs for Office 365: How to create a secured kiosk access with Office 365?

Editor’s Note: The following is a guest post by Office 365 MVP Arnaud
 as part of the MVP Award Program Blog’s “MVPs for Office 365” series. Arnaud drives technical projects for French
corporate companies on directories, messaging systems, security, virtualization
solutions, and windows client & server platforms.
  An MVP since 2004, he works as senior architect on Office 365, Exchange
Online and Exchange Server at Capgemini ( 

He’s a frequent speaker at Microsoft events and
formed part of the editorial board of Exchange Magazine in France ( In addition, Arnaud
represents the French Exchange Server community group, which contains more than
3,500+ members. (” 

How to create a secured kiosk access with Office 365?

Among the many new functionalities, it is interesting to analyze the “quantum leap” that Microsoft Office365 realizes in terms of administration and user access strategies in comparison with BPOS v1. Previously, the configuration of administration of BPOS was limited to indicate which user was administrator of the platform, and which one was only user.

Some commands (PowerShell cmdlets) for delegation or, for example, for changing user password were available, whereas it was necessary to open an incident ticket on the Microsoft Online Administration Center (MOAC) for many other operations.

As Jon Orton (a product manager on the Exchange team) stated recently, in Office 365, Exchange Online adds the capabilities of Exchange Server 2010 to the benefits described above. Here are just a few of the new features to look forward to:

1. Compliance and archiving: Exchange Online provides the robust archiving and eDiscovery capabilities of Exchange Server 2010, with built-in personal e-mail archives, multi-mailbox search, retention policies, transport rules, and optional legal hold to preserve email.

2. Management Tools: The Web-based Exchange Control Panel from Exchange Server 2010 is available in the cloud, so you can manage policies, security, user accounts. You can also use PowerShell to manage all aspects of your hosted Exchange environment remotely across the Internet.

3. Role-based access control: You can delegate permissions to responsible users based on job function, without giving them access to the entire management interface. This means tasks such as performing multi-mailbox searches no longer have to be the sole responsibility of IT.

4. Enhanced web experience: The premium Outlook Web App experience is available in Internet Explorer, Firefox, and Safari. Instant messaging integration allows users to chat from right within OWA.

5. Coexistence/migration: You can move users to Exchange Online over a weekend with new lightweight, cloud-based migration tools. Or, you can connect your Exchange 2003/2007/2010 environment to the cloud and enjoy rich coexistence, which lets you share calendar free/busy data between cloud and on-premises users, and migrate at whatever pace you want.

In this article, I am going to use three of the new functions of Office 365 to configure and secure mail usage in public zones:

Step 1: Create a kiosk account and associate a K1 plan license (Kiosk).

Step 2: Create a new role based access control (RBAC) in order to prevent that the users reach the ECP (Exchange Control Panel) or change their password.

Step 3: Create a new policy and set it to limit the functionalities being able to be used with OWA and apply the new policy on the CAS for the kiosk account.

Note: Unfortunately, the Office365 version of Set-CASMailbox does not have -ECPEnable switch implementation and the Office365 version of Set-OWAMailboxPolicy does not have -ChangePasswordEnable switch implementation either. The only way to tackle this is through RBAC. Instead of attempting to directly set OWA policy, create a new User Role Assignment Policy and make sure that “My Base Options” is NOT checked. Assign this role to whatever user mailboxes you wish, and make sure that anyone accessing that mailbox will not have ECP permissions.

Step 1: Create a kiosk account and associate K1 license

1. Go to the Office 365 user portal ( and sign-in with an admin account


2. Select “Admin” to open the administration portal, then click on “New user” in “Administrator shortcuts”


3. Create the new account (in my demo: Assign user role (non admin) and the location, and most importantly, choose K1 license plan.

Step 2: Create a new secure role based access control

1. On the Office 365 admin home page, select Exchange Online, Manage.

2. On the Exchange Online Control Panel (ECP), select Roles & Auditing, User Roles, create a new Role Assignment Policy (example: “Secured Public Kiosks Policy”), and keep “MyBaseOptions” unchecked.

3. On Users & Groups, select the Kiosk Principal Hall, click on Details. Go to Mailbox Settings and change the role assignment policy.

Step 3: Define a new secure policy

1. Open a PowerShell v2 session. Note: you need to authorize at least RemoteSigned scripts to run on your computer. To change the Set-ExecutionPolicy, you need to run PowerShell with local admin account rights.

2. Connect on Office365 tenant as admin.

3. Create a new OWA policy “Public kiosks”

4. Set the OWA policy. In the example presented here, I remove Calendar switches from the OWA. In a similar way, I can configure hundreds of switches in the following categories: Outlook Web App (OWA), Exchange ActiveSync, Federated Calendar Sharing, User Role Assignment, Mail retention, FOPE (Forefront Online Protection for Exchange), Exchange UM policies, and Throttling policies.

5. Apply the OWA Policy for users on the Office 365 CAS

Note : An overview of Get-OwaMailboxPolicy switches


As you can clearly see, Office 365 provides us with settings on a granularity level as yet unknown. At Capgemini, this gives us the possibility to accompany our customers in the implementation as well as in the fine-grained   integration of Office365 in conformity with the administrative teams in place.

For the scheduling of your project, especially if you are not familiar with Microsoft SharePoint 2010 and Microsoft Exchange 2010, I advise you to move your mailboxes to Microsoft Office 365 first. Then, you can refine the granularity of your solution in a second phase. 

However, within the framework of large projects, the first stage consists of a fundamental functional study of RBACs and policies, which is a big change in Office365 compared to BPOS. They will have to be implemented and tested during a pilot phase or a proof of conception before the production settings and the migration of the users towards Office365.

Comments (0)