Disable OWA for Devices by Policy
Exchange Online has a PowerShell command Set-OwaMailboxPolicy. In that policy, you should be able to disable OWA for Devices.
The only way to currently disable OWA for Devices is on a per mailbox basis. The only way to currently disable OWA for Devices is on a per mailbox basis via GUI or the PowerShell command, Set-CasMailbox -OwaForDevicesEnabled:0.
OWA for Devices should be considered a security risk by any org currently using Intune and and Azure AD Conditional Access because it doesn't obey MDM Compliance & Conditional Access policies.
OWA for Devices also doesn't use modern authentication by default and thus steps around MFA for any organization that doesn't use enforced Azure MFA (many companies would prefer to use Conditional Azure MFA due to using compliance and DJ as a second factor).
This is a serious security risk that I'm hoping will be addressed quickly. Please feel free to reach out if you'd like to discuss.