Conditional Access: Session Controls for Exchange Online (Outlook on the Web)
Expand the cloud app Session Controls area to be able to apply OWA policies on-the-fly.
Allow admins to do things like block download access unless the user is within a trusted location or on a compliant or domain joined device.
Effectively this, but without the need for ADFS: https://technet.microsoft.com/en-us/library/dn530630(v=exchg.150).aspx
Combining that with the SharePoint session controls will result in a more complete browser-only experience for unmanaged/untrusted devices.
Francois Peroux commented
Did you try MCAS for this purpose? (Microsft Cloud Access Security). This kind of control is available with it.
This would be fantastic. I'd really like more control over who can and can't download from OWA (and save to OneDrive). I might want to only allow domain join/compliant devices or allow specific users if they use MFA.
The OWA policy is too broad for this.
Would really like to see this.
Chris Moore commented