In today’s data-driven world, organizations place strong emphasis on safeguarding sensitive information and preventing potential data breaches.
One significant risk arises from the unauthorized export of PST files from the Outlook application, which can lead to unintended exposure of internal data.
This article explains the challenges associated with restricting PST file exports and provides clear steps to implement effective controls in both new Outlook and classic Outlook clients.
Challenges
Organizations often support multiple Outlook versions — the new Outlook (modern app) and classic Outlook clients (Outlook 2016, Outlook 2019, and Microsoft 365 Classic App).
Because these applications operate differently, separate methods are required to restrict PST export for each type:
Restricting PST Export in New Outlook
To restrict PST export in the new Outlook app, you can configure an OWA mailbox policy using Exchange Online PowerShell.
Step 1: Connect to Exchange Online PowerShell
Connect-ExchangeOnline
Step 2: View Existing OWA Policies
To review existing policies, run:
Get-OwaMailboxPolicy | fl Name, OutlookDataFile
Step 3: Create or Modify an OWA Mailbox Policy
You can either create a new OWA policy for specific users or modify the default one to apply the restriction organization-wide.
Create a new policy:
New-OwaMailboxPolicy -Name "Legal-Department-OwaMailboxPolicy"
Configure PST export restriction:
Set-OwaMailboxPolicy -Identity "Legal-Department-OwaMailboxPolicy" -OutlookDataFile NoExportNoOpenNoGrow
OutlookDataFile Parameter Options
| Setting | Description |
|---|
| Allow | The default setting. Users can open, import, export, and copy items to/from .pst files. |
| NoExport | Prevents exporting data from a mailbox to a .pst file. |
| NoExportNoGrow | Prevents exporting or copying items to a .pst file. |
| NoExportNoOpen | Prevents exporting and opening new .pst files. |
| NoExportNoOpenNoGrow | Prevents exporting, opening, or copying items to .pst files. |
| Deny | Fully restricts access — users cannot open, import, export, or copy .pst files. |
Step 4: Assign the Policy to a Mailbox
Apply the new OWA policy to the desired mailbox:
Set-CASMailbox -Identity "[email protected]" -OwaMailboxPolicy "Legal-Department-OwaMailboxPolicy"
Verify the policy assignment:
Get-CASMailbox -Identity "[email protected]" | Select OwaMailboxPolicy
Note: Policy changes may take up to 60 minutes to take effect.
Once applied, users in the new Outlook client will no longer see the PST export option, preventing data export through Outlook.
Restricting PST Export in Classic Outlook
For classic Outlook clients (Outlook 2016, 2019, and Office 365 Classic App), PST export can be disabled using Group Policy Objects (GPOs) in Active Directory.
Step 1: Prepare Administrative Template Files
Log in to the Active Directory (AD) server with the necessary permissions to create and edit GPOs.
Download the latest Office Administrative Template files (ADMX/ADML) from Microsoft: Download Office ADMX Templates
Copy the downloaded .admx and .adml files to: C:\Windows\PolicyDefinitions
Step 2: Configure Group Policy
Open the Group Policy Management Console (GPMC).
Create a new Group Policy Object (GPO) or edit an existing one.
Navigate to: User Configuration > Administrative Templates > Microsoft Outlook 2016 > Disable Items in User Interface > Custom > Disable command bar buttons and menu items.
![Screenshot 2025-10-28 221127]()
Double-click Disable command bar buttons and menu items.
Set the policy to Enabled.
![Screenshot 2025-10-28 221057]()
Click "Show".
In the Command IDs field, add the following value: 2577 (This command ID corresponds to the “Export to a file” option in Outlook.)
![Screenshot 2025-10-28 221009]()
Click Apply and OK to save the changes.
Step 3: Apply and Test the Policy
Link the newly created GPO to the relevant Organizational Unit (OU) that contains the target user accounts.
Once the policy is applied, users within that OU will no longer see or be able to use the “Export” option in Outlook.
Conclusion
By combining Exchange Online OWA policy settings with Group Policy configurations, organizations can effectively block PST exports in both modern and classic Outlook clients.
This approach strengthens data governance, minimizes the risk of unauthorized data extraction, and enhances the overall security posture of the organization.