Application Access Policy Support in EWS

Published Feb 02 2021 08:56 AM 16.2K Views

Administrators who want to limit the app access to a specific set of mailboxes can create an application access policy. Application access policy support for Microsoft Graph was released in 2019. Today, we are announcing that we are adding support for application access policies to Exchange Web Services (EWS) in response to customer feedback, and as a mechanism to ease customer transition from using EWS to using Graph. With EWS support for application access policies, you can now provide users with a more secure experience.

Background

Some apps make calls into EWS using their own identity and not on behalf of a user. These are usually background services or daemon apps that run on a server without requiring a signed-in user. These apps use OAuth 2.0 client credentials to authenticate, and they are configured with application permissions that enable such apps to access all mailboxes in an Exchange Online organization. Providing more granular EWS permission scopes is a common request from our EWS partners.

Using an application access policy, EWS administrators can now limit an app’s access to a specific set of mailboxes by specifying an inclusion or exclusion list. Administrators who want to limit third party app access to a specific set of mailboxes can use New-ApplicationAccessPolicy PowerShell cmdlet to configure access control. For more information about application access policies, see Scoping application permissions to specific Exchange Online mailboxes.

Other Investments in EWS

EWS support for application access policies was added to address customer security concerns. As we announced in 2018, we won’t be adding new features to EWS. We strongly recommend migrating from EWS to Graph for access to Exchange Online data, as well as the latest features and functionality. For more information on how to transition, see:

While EWS and Graph have overlapping functionality, there are some differences. If you rely on an EWS API that does not have a Graph counterpart, let us know via UserVoice.

Basic Authentication

This is also a good time to remind everyone that we are retiring Basic Authentication in Exchange Online. If you are using EWS (or any other email access protocol like POP, IMAP, EAS) in combination with Basic Auth, you need to make sure you are using OAuth and not Basic Auth. Furthermore, we strongly recommend that you modernize your apps and move to Graph.

The Exchange Team

8 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-2110361%22%20slang%3D%22en-US%22%3EApplication%20Access%20Policy%20Support%20in%20EWS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2110361%22%20slang%3D%22en-US%22%3E%3CP%3EAdministrators%20who%20want%20to%20limit%20the%20app%20access%20to%20a%20specific%20set%20of%20mailboxes%20can%20create%20an%20application%20access%20policy.%20Application%20access%20policy%20support%20for%20Microsoft%20Graph%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fscoping-microsoft-graph-application-permissions-to-specific%2Fba-p%2F671881%22%20target%3D%22_self%22%3Ewas%20released%3C%2FA%3E%20in%202019.%20Today%2C%20we%20are%20announcing%20that%20we%20are%20adding%20support%20for%20application%20access%20policies%20to%20Exchange%20Web%20Services%20(EWS)%20in%20response%20to%20customer%20feedback%2C%20and%20as%20a%20mechanism%20to%20ease%20customer%20transition%20from%20using%20EWS%20to%20using%20Graph.%20With%20EWS%20support%20for%20application%20access%20policies%2C%20you%20can%20now%20provide%20users%20with%20a%20more%20secure%20experience.%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId-1269933818%22%20id%3D%22toc-hId-1269959923%22%20id%3D%22toc-hId-1269959923%22%3EBackground%3C%2FH1%3E%0A%3CP%3ESome%20apps%20make%20calls%20into%20EWS%20using%20their%20own%20identity%20and%20not%20on%20behalf%20of%20a%20user.%20These%20are%20usually%20background%20services%20or%20daemon%20apps%20that%20run%20on%20a%20server%20without%20requiring%20a%20signed-in%20user.%20These%20apps%20use%20OAuth%202.0%20client%20credentials%20to%20authenticate%2C%20and%20they%20are%20configured%20with%20application%20permissions%20that%20enable%20such%20apps%20to%20access%20all%20mailboxes%20in%20an%20Exchange%20Online%20organization.%20Providing%20more%20granular%20EWS%20permission%20scopes%20is%20a%20common%20request%20from%20our%20EWS%20partners.%3C%2FP%3E%0A%3CP%3EUsing%20an%20application%20access%20policy%2C%20EWS%20administrators%20can%20now%20limit%20an%20app%E2%80%99s%20access%20to%20a%20specific%20set%20of%20mailboxes%20by%20specifying%20an%20inclusion%20or%20exclusion%20list.%20Administrators%20who%20want%20to%20limit%20third%20party%20app%20access%20to%20a%20specific%20set%20of%20mailboxes%20can%20use%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fpowershell%2Fmodule%2Fexchange%2Fnew-applicationaccesspolicy%3Fview%3Dexchange-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ENew-ApplicationAccessPolicy%3C%2FA%3E%20PowerShell%20cmdlet%20to%20configure%20access%20control.%20For%20more%20information%20about%20application%20access%20policies%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fgraph%2Fauth-limit-mailbox-access%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EScoping%20application%20permissions%20to%20specific%20Exchange%20Online%20mailboxes%3C%2FA%3E.%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId--537520645%22%20id%3D%22toc-hId--537494540%22%20id%3D%22toc-hId--537494540%22%3EOther%20Investments%20in%20EWS%3C%2FH1%3E%0A%3CP%3EEWS%20support%20for%20application%20access%20policies%20was%20added%20to%20address%20customer%20security%20concerns.%20As%20we%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fupcoming-changes-to-exchange-web-services-ews-api-for-office-365%2Fba-p%2F608055%22%20target%3D%22_blank%22%3Eannounced%3C%2FA%3E%20in%202018%2C%20we%20won%E2%80%99t%20be%20adding%20new%20features%20to%20EWS.%20We%20strongly%20recommend%20migrating%20from%20EWS%20to%20Graph%20for%20access%20to%20Exchange%20Online%20data%2C%20as%20well%20as%20the%20latest%20features%20and%20functionality.%20For%20more%20information%20on%20how%20to%20transition%2C%20see%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper.microsoft.com%2Fgraph%2Fdocs%2Fconcepts%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EOverview%20of%20Microsoft%20Graph%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper.microsoft.com%2Fgraph%2Fdocs%2Fconcepts%2Foutlook-mail-concept-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EOverview%20of%20Outlook%20mail%20API%20on%20Microsoft%20Graph%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EWhile%20EWS%20and%20Graph%20have%20overlapping%20functionality%2C%20there%20are%20some%20differences.%20If%20you%20rely%20on%20an%20EWS%20API%20that%20does%20not%20have%20a%20Graph%20counterpart%2C%20let%20us%20know%20via%20%3CA%20href%3D%22https%3A%2F%2Fofficespdev.uservoice.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EUserVoice%3C%2FA%3E.%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId-1949992188%22%20id%3D%22toc-hId-1950018293%22%20id%3D%22toc-hId-1950018293%22%3EBasic%20Authentication%3C%2FH1%3E%0A%3CP%3EThis%20is%20also%20a%20good%20time%20to%20remind%20everyone%20that%20we%20are%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fbasic-authentication-and-exchange-online-july-update%2Fba-p%2F1530163%22%20target%3D%22_blank%22%3Eretiring%20Basic%20Authentication%20in%20Exchange%20Online%3C%2FA%3E.%20If%20you%20are%20using%20EWS%20(or%20any%20other%20email%20access%20protocol%20like%20POP%2C%20IMAP%2C%20EAS)%20in%20combination%20with%20Basic%20Auth%2C%20you%20need%20to%20make%20sure%20you%20are%20using%20OAuth%20and%20not%20Basic%20Auth.%20Furthermore%2C%20we%20strongly%20recommend%20that%20you%20modernize%20your%20apps%20and%20move%20to%20Graph.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22author%22%3EThe%20Exchange%20Team%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2110361%22%20slang%3D%22en-US%22%3E%3CP%3EAdministrators%20who%20want%20to%20limit%20the%20app%20access%20to%20a%20specific%20set%20of%20mailboxes%20can%20create%20an%20application%20access%20policy.%20Application%20access%20policy%20support%20for%20Microsoft%20Graph%20was%20released%20in%202019.%20Today%2C%20we%20are%20announcing%20that%20we%20are%20adding%20support%20for%20application%20access%20policies%20to%20Exchange%20Web%20Services%20(EWS)%20in%20response%20to%20customer%20feedback...%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2110361%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAnnouncements%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Edevelopment%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2113512%22%20slang%3D%22en-US%22%3ERe%3A%20Application%20Access%20Policy%20Support%20in%20EWS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2113512%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20always%20tought%20we%20could%20scope%20EWS%20apps%20by%20creating%20custom%20management%20scopes.%20How%20does%20this%20interacts%20with%20application%20access%20policies%20for%20EWS%20apps%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20application%20access%20policies%20used%20in%20ExO%20only%20if%20the%20EWS%20app%20authenticates%20using%20Oauth%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2113147%22%20slang%3D%22en-US%22%3ERe%3A%20Application%20Access%20Policy%20Support%20in%20EWS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2113147%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20everywhere.%20And%20anyway%2C%20Exchange%20is%20a%20at%20the%20heart%20of%20the%20graph....%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2113078%22%20slang%3D%22en-US%22%3ERe%3A%20Application%20Access%20Policy%20Support%20in%20EWS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2113078%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20news%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F149115%22%20target%3D%22_blank%22%3E%40Greg%20Taylor%20-%20EXCHANGE%3C%2FA%3E%26nbsp%3B...%20But%20my%20only%20concern%20now%20is%20are%20you%20lost%3F%20Shouldnt%20you%20be%20hitting%20up%20the%20Microsoft%20Graph%20blog%20these%20days%20%3B)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOnly%20joking%2C%20always%20great%20to%20see%20your%20updates%20!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2112841%22%20slang%3D%22en-US%22%3ERe%3A%20Application%20Access%20Policy%20Support%20in%20EWS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2112841%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F55238%22%20target%3D%22_blank%22%3E%40Jamie%20BRANDWOOD%3C%2FA%3E%26nbsp%3B-%20we'll%20have%20an%20update%20on%20Basic%20Auth%20very%20soon.%20And%20yes%2C%20100%20is%20currently%20the%20limit.%20We%20are%20investigating%20increasing%20it.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2111513%22%20slang%3D%22en-US%22%3ERe%3A%20Application%20Access%20Policy%20Support%20in%20EWS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2111513%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193997%22%20target%3D%22_blank%22%3E%40Tonino%20Bruno%3C%2FA%3E%26nbsp%3B...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERef%20your%20question%20around%20number%20of%20scoping%20policy's%20...%20based%20on%20CmdLet%20notes%20it%20is%20currentl%20100%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%3CSPAN%3EA%20limit%20of%20100%20policies%20per%20Microsoft%20365%20tenant%20is%20enforced%20as%20of%20today.%20An%20error%20message%20stating%20%22A%20tenant%20cannot%20have%20more%20than%20100%20policies.%22%20will%20be%20displayed%20if%20this%20number%20is%20exceeded.%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Fnew-applicationaccesspolicy%3Fview%3Dexchange-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Fnew-applicationaccesspolicy%3Fview%3Dexchange-ps%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWhether%20that%20will%20change%20with%20newer%20scoping%20capabilities%20i%20dont%20know%20%3A)%3C%2Fimg%3E%20im%20hoping%20so%20...%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2111502%22%20slang%3D%22en-US%22%3ERe%3A%20Application%20Access%20Policy%20Support%20in%20EWS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2111502%22%20slang%3D%22en-US%22%3E%3CP%3ENice%20article%2C%20good%20to%20see%20some%20work%20still%20happening%20to%20support%20those%20EWS%20applications%20out%20there%20...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20guess%20the%20one%20question%20that%20many%20people%20will%20ask%20off%20the%20back%20of%20this%20announcement%20and%20the%20comment%20of%20%22%3CSPAN%3EThis%20is%20also%20a%20good%20time%20to%20remind%20everyone%20that%20we%20are%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fbasic-authentication-and-exchange-online-july-update%2Fba-p%2F1530163%22%20target%3D%22_blank%22%3Eretiring%20Basic%20Authentication%20in%20Exchange%20Online%3C%2FA%3E%22%20is%20when%20will%20Basic%20Auth%20be%20retired%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESecond%20half%20of%202021%20is%20what%2C%20July%201st%20...%20do%20we%20expect%20people%20to%20plan%20for%20that%20date.%20or%20is%20there%20without%20sharing%20a%20date%20a%20minimum%20additonal%20'notice'%20period%20people%20can%20expect%20for%20retirement.%20will%20we%20get%20at%20least%206%20month%20notice%20as%20example.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlthough%20while%20saying%20that%20i%20totally%20get%20that%20it%20was%20announced%20in%20~2017%20and%20customers%20%2F%20vendors%20should%20have%20or%20be%20moving%20away%20from%20it%20already%2C%20i'm%20still%20speaking%20to%20vendors%20now%20who%20only%20found%20out%20because%20we%20asked%20the%20question%20of%20them.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnywho%2C%20love%20your%20work%20!%20stay%20safe%20%26amp%3B%20take%20care%20!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2111483%22%20slang%3D%22en-US%22%3ERe%3A%20Application%20Access%20Policy%20Support%20in%20EWS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2111483%22%20slang%3D%22en-US%22%3E%3CP%3EThat%20is%20a%20very%20welcomed%20change%2C%20thank%20you%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2F%408341BD79091AF36AA2A09063B554B5CD%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%20I%20was%20wondering%20how%20many%20scoping%20policies%20can%20we%20create%20in%20total%2C%20is%20there%20some%20hard%20limit%3F%26nbsp%3BWe%20have%20already%20about%2050%2B%20policies%20and%20we%20are%20adding%202-3%20every%20week.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2158598%22%20slang%3D%22en-US%22%3ERe%3A%20Application%20Access%20Policy%20Support%20in%20EWS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2158598%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3B!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eis%20this%20application%20access%20policy%20supports%20full_access_as_app%3F%3F%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3ESayhi2mee%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Feb 02 2021 09:37 AM
Updated by: