You can identify owa (web browser) vs activesync (microsoft exchange client) using a client check:
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-config-11-2-0/apm_config_server_checks.html?sr=51220103205575
and you can check AD group membership with AD Query or LDAP Query:
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-12-0-0/4.html?sr=51220171
Then it's just a matter of designing your VPE so the Allow and Deny are appropriate for the matches you want.