Step-By-Step: Blocking Outside Apps from Accessing Exchange Web Services


In the era of BYOD the ask has probably been put forth to block a specific apps from accessing Office 365 / Exchange Online. There are all many security reasons as to why the ask to block applications from using Exchange Web Services (EWS) would occur. My intent in writing this post was not meant to call out any specific app, rather, the app shown in the following post happened to be the one that I was asked to block by a client as it did not meet their corporate security policy.

The Set-OrganizationConfig command is required to block applications attempting to access EWS applications followed by specifying two EWS parameters.

 

Let’s first review your organization and see if you have a Block List setting and if there are applications in there.

 

Step 1: Connect to Exchange Online with PowerShell

Check out the video to provide instructions on connecting PowerShell to Exchange online:

Enter the following commands in PowerShell:

$UserCredential = Get-Credential 

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection 

Import-PSSession $Session

 

Step 2: Verify Existing Settings

Enter the following commands in PowerShell:

Get-OrganizationConfig |ft Name,EwsApplicationAccessPolicy,EwsBlockList,EwsAllowList

 The results listed above reports that the EwsApplicationAccessPolicy is not set and there is nothing in the EwsBlockList or the EwsAllowList

 

Step 3: Understand the Process (EwsApplicationAccessPolicy and EwsBlockList or EwsAllowList)

Most companies only wish to target specific apps to block. There are two methods to blocking applications. They are as follows:

  1. Block everything except everything on the allow list; EnforceAllowList
     
  2. Allow everything and except for what is listed on the block list; EnforceBlockList

 

-EwsApplicationAccessPolicy <EnforceAllowList | EnforceBlockList>

The EwsApplicationAccessPolicy parameter defines which applications other than Entourage, Mac Outlook, and Outlook can access EWS. If set to EnforceAllowList, only applications specified in the EwsAllowList parameter are allowed access to EWS. If set to EnforceBlockList, every application is allowed access to EWS except the ones specified in the EwsBlockList parameter.

 

-EwsBlockList

The EwsBlockList parameter specifies the applications that can’t access EWS when the EwsApplicationAccessPolicy parameter is set to EnforceBlockList.

 

-EwsAllowList

The EwsAllowList parameter specifies the applications (user agent strings) that can access EWS when the EwsApplicationAccessPolicy parameter is set to EnforceAllowList.

 

 

Step 4: Enable the Block List and add an Application

 

This method will show how to allow all applications (that use EWS) and only block ones on the block list. You’ll see the command to block a specific application and then the confirmation command after.

 

Set-OrganizationConfig –EwsApplicationAccessPolicy:EnforceBlockList –EwsBlockList:”CloudMagic*”

 

Given some replication and policy time the user will see this.

Comments (2)

  1. Janusz Such says:

    Hello,
    is this information valid also for on-premises Exchange 2010/2013/2016 ?
    Are there any issues involved ?

  2. Are there some options which allows us to do that per Exchange Server instead blocking that on a per Organization basis?

Skip to main content