Fix: Outlook Web App Can't Download Attachments
Why This Is Happening
I've seen this exact scenario play out in enterprise environments more times than I can count , Monday morning, half the office opens a ticket saying they can't download attachments in Outlook Web App, and suddenly IT is fielding thirty calls before 9 AM. What makes it especially maddening is that the error messages OWA gives you are nearly useless. You either get a generic browser pop-up that says "download blocked" or the file just silently fails , no error code, no explanation, nothing actionable.
So what's actually going on? There are several distinct causes, and knowing which one you're dealing with changes everything about how you fix it.
The most common culprit is a Microsoft 365 service-side incident. When Microsoft's Exchange Online or SharePoint Online infrastructure has a hiccup, even a partial one that affects specific regions or tenants, OWA attachment downloads are often the first thing to break. You'll see this flagged in the Microsoft 365 Service Health Dashboard under incident IDs like EX###### (Exchange) or SP###### (SharePoint). The frustrating part? It can look exactly like a client-side browser problem, so admins waste hours chasing the wrong thing.
The second most common cause is a browser security policy conflict. Modern browsers, Chrome, Edge, Firefox, all have built-in download protection. When those settings collide with OWA's attachment-serving headers, or when a corporate proxy strips or modifies those headers in transit, the download silently fails. This is especially common after a browser auto-update or after your IT team pushes a new Group Policy for browser security.
Third: OWA's own attachment-handling policies inside Exchange Online or Exchange Server. Administrators can block specific file types, restrict downloads to managed devices only, or enforce Conditional Access policies that prevent downloads on non-compliant endpoints. If your organization recently rolled out Microsoft Intune, Defender for Cloud Apps, or updated an Azure AD Conditional Access policy, that could have silently locked down attachment downloads for certain users or device types.
Fourth: cached session tokens and browser corruption. OWA keeps authentication tokens in your browser session. When those tokens expire mid-session or become corrupted, which happens more after long idle periods or after password changes, certain OWA functions like attachment downloads break while the rest of the interface appears to work normally.
Who sees this most? Typically, it hits multiple users simultaneously when it's a service incident or a policy change. If it's affecting just one person, lean toward browser cache, session token, or device compliance issues first. Either way, this guide walks you through every layer, from the 30-second fix to the deep admin-level diagnosis. Browse all Microsoft fix guides →
The Quick Fix, Try This First
Before you go anywhere near Group Policy or Exchange admin panels, try this. It resolves the Outlook Web App attachment download not working problem in the majority of cases where it's browser-related, and it takes under two minutes.
Open OWA in a private/incognito window and try downloading the attachment again.
Here's exactly how to do it in each browser:
- Microsoft Edge: Press Ctrl + Shift + N to open an InPrivate window
- Google Chrome: Press Ctrl + Shift + N for Incognito
- Firefox: Press Ctrl + Shift + P for Private Browsing
Once the private window opens, navigate to outlook.office.com, sign in with your Microsoft 365 credentials, open the email with the attachment, and click the download icon. If the file downloads successfully in private mode, your problem is a corrupted browser cache or a conflicting browser extension in your normal profile, and you can jump straight to Step 1 below to fix it permanently.
If the download still fails in private mode, that rules out browser-side cache and extensions. Now you're dealing with either a service incident, a policy restriction, or a network-level block, and you need to work through the full steps below.
Also check the Microsoft 365 Service Health Dashboard right now. If you're an admin, go to admin.microsoft.com → Health → Service Health. If there's an active Exchange Online incident, it will be listed there with an incident ID and status. Non-admins can check the public Microsoft 365 Status page at status.office365.com, it won't show tenant-specific issues, but active widespread incidents do appear there. Don't spend an hour troubleshooting client-side if Microsoft is already aware and working a fix.
If the private window test worked, your normal browser session is carrying corrupted data, cached OWA assets, an expired authentication cookie, or both. Clearing the cache properly (not just a quick Ctrl+F5) solves this cleanly.
In Microsoft Edge or Chrome, press Ctrl + Shift + Delete. A dialog opens. Set the time range to All time. Check all of the following boxes:
- Browsing history
- Download history
- Cookies and other site data
- Cached images and files
Click Clear data (Edge) or Clear data (Chrome). This takes 10–60 seconds depending on how much is cached.
In Firefox, go to Settings → Privacy & Security → Cookies and Site Data → Clear Data. Check both "Cookies and Site Data" and "Cached Web Content," then click Clear.
After clearing, close the browser completely, don't just close the tab, close the whole window. Re-open it, navigate to outlook.office.com, and sign in fresh. Signing out of OWA first is also worth doing: click your profile picture in OWA → Sign out → then close and reopen the browser before signing back in. This forces a clean token refresh.
If you're in an enterprise environment where your browser is managed by Group Policy, you may not have permission to clear certain categories. In that case, skip to Step 3 and have an admin check the policy settings instead.
What you should see: After signing back into OWA, navigate to an email with an attachment and click the download icon. The file should prompt you to save normally. If it still fails, move to Step 2.
Security extensions, ad blockers, and download managers can all intercept OWA's attachment download mechanism and block it silently. This is one of the sneakiest causes of the Outlook Web App file download failing problem because everything else in OWA works fine, only attachments break.
In Microsoft Edge, go to edge://extensions/ in the address bar. Toggle off every extension, one at a time, then try the OWA attachment download after each one. The usual suspects I've seen cause this are: uBlock Origin, Privacy Badger, Cisco Umbrella browser extensions, Zscaler Web Security, and corporate proxy extensions.
In Chrome, go to chrome://extensions/ and do the same.
Additionally, check your browser's built-in pop-up blocker. OWA sometimes opens attachment downloads in a new tab or pop-up window, and if that's blocked, the download appears to fail even though OWA actually triggered it correctly.
In Edge: Settings → Cookies and site permissions → Pop-ups and redirects. Add outlook.office.com and outlook.office365.com to the Allow list.
In Chrome: Settings → Privacy and security → Site settings → Pop-ups and redirects. Add the same two domains to Allow.
Sites to add to your browser Allow list:
https://outlook.office.com
https://outlook.office365.com
https://attachments.office.net
https://*.sharepoint.comThe attachments.office.net domain is important, OWA often serves actual attachment file data from that hostname, and many pop-up blockers and security extensions treat it as a third-party domain and block it by default.
What you should see: With extensions disabled and the domains allowed, attempt the attachment download again. A save dialog should appear or the file should land in your Downloads folder automatically.
When multiple users in your organization can't download attachments in Outlook Web App at the same time, this is your most important step. A Microsoft 365 service incident will not be fixed by anything you do on the client side, you need to identify it, understand its scope, and communicate it to your users while Microsoft works the fix.
Sign in at admin.microsoft.com with a Global Admin or Service Support Admin account. In the left navigation, go to Health → Service Health. Look at the Exchange Online and Microsoft 365 suite rows. Active incidents show a red circle icon; advisories show yellow.
Click any active Exchange Online incident to expand it. You'll see:
- The incident ID (format:
EX######) - Affected features, look for "Outlook on the web" or "Attachment downloads"
- User impact description
- Current status and next update time
- Mitigation steps Microsoft recommends
You can also pull service health data programmatically using PowerShell and the Microsoft Graph API, useful if you need to build an alert or pull history:
# Connect to Microsoft Graph (requires ServiceHealth.Read.All scope)
Connect-MgGraph -Scopes "ServiceHealth.Read.All"
# Get current Exchange Online service issues
Get-MgServiceAnnouncementIssue -Filter "service eq 'Exchange Online'" |
Select-Object Id, StartDateTime, Status, Title |
Format-Table -AutoSizeIf an active incident covers OWA attachment downloads, document the incident ID and share it with affected users. There's nothing further to do on your end, Microsoft's engineers are working it. Post updates in your internal IT channel so users aren't submitting duplicate tickets.
If there's no active incident listed, you're dealing with something tenant-specific or client-specific, and you move on to the next steps.
What you should see: Either an active incident that explains the problem, or a clean health dashboard that confirms you need to keep digging.
Exchange Online has a specific set of policies that control exactly what OWA users can and can't do, including whether they can download attachments at all. I've walked into organizations where a well-meaning admin locked down OWA file access months ago and nobody documented it, causing confusion when new users couldn't figure out why they couldn't save email attachments.
There are two layers to check: the OWA Mailbox Policy assigned to the affected user, and the Organization-level OWA policy.
Connect to Exchange Online PowerShell first:
# Install and connect Exchange Online Management module
Install-Module -Name ExchangeOnlineManagement -Force
Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.comNow check what OWA Mailbox Policy is assigned to the affected user and what that policy allows:
# Find the OWA policy assigned to the user
Get-CASMailbox -Identity "user@yourdomain.com" | Select OwaMailboxPolicy
# Check that policy's attachment settings
Get-OwaMailboxPolicy -Identity "OWAMailboxPolicy-Default" |
Select DirectFileAccessOnPublicComputersEnabled,
DirectFileAccessOnPrivateComputersEnabled,
ForceWacViewingFirstOnPublicComputers,
ForceWacViewingFirstOnPrivateComputers,
WacViewingOnPublicComputersEnabled,
WacViewingOnPrivateComputersEnabled |
Format-ListThe key settings here: DirectFileAccessOnPrivateComputersEnabled and DirectFileAccessOnPublicComputersEnabled control whether users can download files directly. If either is set to False, users on those device types cannot download attachments, they can only view them in the browser via Office Online viewer. To re-enable direct downloads:
# Re-enable direct file access for private computers
Set-OwaMailboxPolicy -Identity "OWAMailboxPolicy-Default" `
-DirectFileAccessOnPrivateComputersEnabled $true `
-DirectFileAccessOnPublicComputersEnabled $trueChanges take effect within 60 minutes, or you can have affected users sign out and back into OWA to pick up the policy update faster.
What you should see: After the policy update, affected users should be able to download attachments directly from OWA without being forced into the browser-based viewer.
This is the fix that catches organizations off guard the most. If your tenant uses Azure AD Conditional Access (now called Microsoft Entra Conditional Access), and most organizations with Microsoft 365 Business Premium or E3/E5 do, a policy might be blocking attachment downloads on devices that aren't marked as compliant or joined to Azure AD. The user sees the OWA interface just fine, can read emails, but can't download files. From their perspective, it looks like OWA is broken. From your perspective as an admin, it's working exactly as configured.
Sign in to the Microsoft Entra admin center at entra.microsoft.com. Go to Protection → Conditional Access → Policies. Look for any policy with these characteristics:
- Target apps include Office 365 Exchange Online
- Grant controls include Require device to be marked as compliant or Require Hybrid Azure AD joined device
- Session controls include Use app enforced restrictions or a Defender for Cloud Apps session policy
If a session policy is in play via Defender for Cloud Apps (formerly MCAS), sign into the Microsoft Defender portal at security.microsoft.com, go to Cloud Apps → Policies → Session policies, and look for any policy targeting Exchange Online or OWA with a Block download action. These session policies are the number one cause I see for OWA attachment downloads being blocked on unmanaged or non-compliant devices:
# Check if App-Enforced Restrictions are applied via PowerShell
Get-CASMailbox -Identity "user@yourdomain.com" |
Select OWAEnabled, OwaMailboxPolicy, ActiveSyncEnabledFor the affected user to download attachments, their device either needs to become compliant (enrolled in Intune, passing all compliance checks) or an admin needs to carve out a named location or device filter exception in the Conditional Access policy. Don't disable the policy outright, scope a proper exclusion instead to maintain your security posture.
What you should see: Once the device is compliant or the policy exception is in place, the user should be able to download OWA attachments normally. You can verify compliance status in the Intune admin center at intune.microsoft.com under Devices → All devices.
Advanced Troubleshooting
If you've worked through all five steps and the Outlook Web App attachment download error is still happening, it's time to go deeper. Here are the diagnostic paths I use when standard fixes don't land.
Check Event Viewer and ULS Logs (On-Premises Exchange)
If you're running Exchange Server on-premises rather than Exchange Online, OWA attachment issues often generate events in the Windows Event Viewer on the CAS (Client Access Server) role. Open Event Viewer and look under Applications and Services Logs → Microsoft → Exchange → HttpProxy. Filter for Event IDs 1003, 3005, and 3006, these cover OWA proxy failures and authentication errors. Also check the Exchange setup logs at C:\ExchangeSetupLogs\ and the HttpProxy logs at:
C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\OWALook for lines with HTTP 500 errors, 403 Forbidden responses, or any line referencing attachment or download in the request path.
Fiddler / Network-Level Diagnosis
When you need to see exactly what's happening at the HTTP layer, Fiddler Classic is your friend. Install it, enable HTTPS decryption, and replicate the download attempt in OWA. Look for the request to attachments.office.net or the OWA /attachment.ashx endpoint. A blocked download will show a 403 or 0 (connection reset) response. A Defender for Cloud Apps block specifically returns an HTTP 403 with a response body containing a Defender for Cloud Apps block page HTML. That's your confirmation of a session policy block.
Group Policy: Browser-Managed Download Settings
In domain-joined environments, browser behavior is often controlled by Group Policy. Open Group Policy Management Console (GPMC) and check the policies applied to affected machines. The relevant GPO paths for Edge are:
Computer Configuration → Administrative Templates →
Microsoft Edge → Downloads → Allow download restrictions
User Configuration → Administrative Templates →
Microsoft Edge → Content settings → Allow pop-ups on specific sitesFor Chrome (via Chrome ADMX templates):
Computer Configuration → Administrative Templates →
Google → Google Chrome → Default download directory
User Configuration → Administrative Templates →
Google Chrome → Content Settings → Pop-ups allowed for URLsRun gpresult /h gpresult.html on the affected machine and open the resulting HTML file to see exactly which policies are applied and from which GPO they originate. This is far faster than manually hunting through GPMC.
Verify DNS and Network Proxy
OWA attachment downloads rely on several Microsoft CDN and storage endpoints. If your corporate proxy or DNS filtering (Cisco Umbrella, Zscaler, etc.) is blocking requests to *.office.net or *.officeapps.live.com, downloads will silently fail. Check your proxy bypass list includes:
*.office.net
*.officeapps.live.com
*.cdn.office.net
attachments.office.net
*.sharepoint.comPrevention & Best Practices
Once you've fixed the immediate OWA attachment download not working problem, it's worth spending 30 minutes making sure it doesn't catch you off guard again. Most of the pain I see around OWA attachment issues comes from reactive firefighting that could have been avoided with a few proactive configurations.
Set up Microsoft 365 Service Health alerts. You should never be hearing about a service incident from your users before you see it in the admin portal. Go to admin.microsoft.com → Health → Service Health → Customize and configure email notifications for Exchange Online incidents. You can also set up a Microsoft Flow/Power Automate workflow that posts alerts to a Teams channel the moment a new incident is opened for Exchange Online.
Document your OWA Mailbox Policies. Export your current OWA policy settings to a reference document quarterly. Changes made by admins, especially in large IT teams, rarely get documented, and that's how you end up with a mystery restriction three months later. This PowerShell one-liner exports everything:
Get-OwaMailboxPolicy | Export-Csv -Path "OWAPolicies_$(Get-Date -Format yyyyMMdd).csv" -NoTypeInformationTest OWA attachment downloads as part of your change management process. Any time you modify Conditional Access policies, deploy a new Intune compliance policy, update browser Group Policy settings, or push a proxy/firewall rule change, include an OWA attachment download test in your change validation checklist. It takes 60 seconds and catches the most common post-change breakage pattern immediately.
Keep a known-good test mailbox. Maintain a dedicated test account with a licensed mailbox that you can use to quickly validate OWA functionality after any infrastructure change. Drop a test file into that mailbox's inbox and use it as your canary for OWA health checks.
- Subscribe to Microsoft 365 Service Health email alerts for Exchange Online, takes 2 minutes and saves hours of misdirected troubleshooting
- Add
outlook.office.comandattachments.office.netto your proxy and DNS bypass lists proactively, before they cause issues - Run a quarterly OWA policy export and diff it against the previous quarter, unexpected changes jump right out
- Pin the Microsoft 365 admin portal's Service Health page to your browser bookmarks bar, make it the first thing you check whenever users report any Microsoft 365 issue
Frequently Asked Questions
Why can I open attachments in the Outlook desktop app but not in Outlook Web App?
The Outlook desktop client and OWA use entirely different code paths to retrieve attachments. The desktop app communicates directly with Exchange via MAPI or EWS protocols, while OWA goes through a web-based proxy that applies its own policy set. It's completely possible, and actually common, for an OWA Mailbox Policy setting like DirectFileAccessOnPrivateComputersEnabled to block browser-based downloads while the desktop client remains unaffected. Conditional Access session policies via Defender for Cloud Apps also apply only to web app sessions, leaving the native client untouched. So if desktop Outlook works fine but OWA can't download attachments, start your investigation with OWA-specific policies rather than Exchange mailbox settings.
OWA says "your organization's policies are preventing this download", what does that mean exactly?
That message is triggered by one of three things: an OWA Mailbox Policy with DirectFileAccessOnPrivateComputersEnabled set to False, a Defender for Cloud Apps (Microsoft Defender for Cloud Apps) session policy with a "Block download" action applied to Exchange Online, or an Azure AD Conditional Access policy that enforces app restrictions via the "Use app enforced restrictions" session control. To find out which one is active, check your OWA Mailbox Policy settings via Exchange Online PowerShell, then check Defender for Cloud Apps session policies, then review Conditional Access. The policy that's responsible will usually be the most recently modified one.
OWA attachment download is broken for only one specific user, everyone else is fine. What should I check?
Single-user attachment problems almost always come down to one of four things: the user has a different OWA Mailbox Policy assigned (check with Get-CASMailbox -Identity user@domain.com | Select OwaMailboxPolicy), their device is non-compliant in Intune and a Conditional Access policy is blocking them specifically, their browser profile is corrupted (incognito window test will confirm this quickly), or their account license has been changed and they're now missing a required service plan. Check their license assignment in admin.microsoft.com and make sure Exchange Online Plan 1 or Plan 2 is active and not in a suspended state.
How do I tell if the Outlook Web App attachment problem is a Microsoft service outage versus something on our end?
The fastest way is to check the Microsoft 365 Service Health Dashboard at admin.microsoft.com → Health → Service Health and look for active Exchange Online incidents. If there's nothing listed there but your users are affected, check whether the problem is limited to your tenant by asking a contact at a different organization to test OWA attachment downloads on their tenant. If it works for them and not you, it's tenant-specific and on your end. If they're also broken, it may be a broader incident not yet reflected in the dashboard, Microsoft sometimes takes 15–30 minutes to post new incidents.
After fixing the OWA attachment download issue, how long until users can download files again?
It depends on what you changed. OWA Mailbox Policy changes propagate to user sessions within about 60 minutes in Exchange Online, but you can accelerate this by having users sign out of OWA completely (click profile picture → Sign out), clear their browser cookies, and sign back in. Conditional Access policy changes in Azure AD/Entra take effect on the next authentication, so signing out and back in typically picks up the change immediately. If the fix was browser-side (clearing cache, re-enabling pop-ups), it's instant, the next download attempt will work. Service health incidents resolve on Microsoft's timeline, which they post in the incident updates.
Can I force OWA to always open attachments in the browser instead of downloading them, or vice versa?
Yes, this is controlled by the ForceWacViewingFirstOnPrivateComputersEnabled and ForceWacViewingFirstOnPublicComputersEnabled settings in your OWA Mailbox Policy. When set to True, clicking an Office attachment (Word, Excel, PowerPoint) opens it in the Office Online viewer in the browser before the user gets an option to download. Set to False, the download option is presented immediately. You can configure this per policy via Exchange Online PowerShell with Set-OwaMailboxPolicy. Keep in mind that for non-Office file types like ZIP, PDF, or images, the DirectFileAccessOnPrivateComputersEnabled setting governs the behavior instead.