%3CLINGO-SUB%20id%3D%22lingo-sub-2110361%22%20slang%3D%22en-US%22%3EApplication%20Access%20Policy%20Support%20in%20EWS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2110361%22%20slang%3D%22en-US%22%3E%3CP%3EAdministrators%20who%20want%20to%20limit%20the%20app%20access%20to%20a%20specific%20set%20of%20mailboxes%20can%20create%20an%20application%20access%20policy.%20Application%20access%20policy%20support%20for%20Microsoft%20Graph%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fscoping-microsoft-graph-application-permissions-to-specific%2Fba-p%2F671881%22%20target%3D%22_self%22%3Ewas%20released%3C%2FA%3E%20in%202019.%20Today%2C%20we%20are%20announcing%20that%20we%20are%20adding%20support%20for%20application%20access%20policies%20to%20Exchange%20Web%20Services%20(EWS)%20in%20response%20to%20customer%20feedback%2C%20and%20as%20a%20mechanism%20to%20ease%20customer%20transition%20from%20using%20EWS%20to%20using%20Graph.%20With%20EWS%20support%20for%20application%20access%20policies%2C%20you%20can%20now%20provide%20users%20with%20a%20more%20secure%20experience.%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId-1269933818%22%20id%3D%22toc-hId-1269959948%22%20id%3D%22toc-hId-1269959948%22%3EBackground%3C%2FH1%3E%0A%3CP%3ESome%20apps%20make%20calls%20into%20EWS%20using%20their%20own%20identity%20and%20not%20on%20behalf%20of%20a%20user.%20These%20are%20usually%20background%20services%20or%20daemon%20apps%20that%20run%20on%20a%20server%20without%20requiring%20a%20signed-in%20user.%20These%20apps%20use%20OAuth%202.0%20client%20credentials%20to%20authenticate%2C%20and%20they%20are%20configured%20with%20application%20permissions%20that%20enable%20such%20apps%20to%20access%20all%20mailboxes%20in%20an%20Exchange%20Online%20organization.%20Providing%20more%20granular%20EWS%20permission%20scopes%20is%20a%20common%20request%20from%20our%20EWS%20partners.%3C%2FP%3E%0A%3CP%3EUsing%20an%20application%20access%20policy%2C%20EWS%20administrators%20can%20now%20limit%20an%20app%E2%80%99s%20access%20to%20a%20specific%20set%20of%20mailboxes%20by%20specifying%20an%20inclusion%20or%20exclusion%20list.%20Administrators%20who%20want%20to%20limit%20third%20party%20app%20access%20to%20a%20specific%20set%20of%20mailboxes%20can%20use%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fpowershell%2Fmodule%2Fexchange%2Fnew-applicationaccesspolicy%3Fview%3Dexchange-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ENew-ApplicationAccessPolicy%3C%2FA%3E%20PowerShell%20cmdlet%20to%20configure%20access%20control.%20For%20more%20information%20about%20application%20access%20policies%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fgraph%2Fauth-limit-mailbox-access%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EScoping%20application%20permissions%20to%20specific%20Exchange%20Online%20mailboxes%3C%2FA%3E.%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId--537520645%22%20id%3D%22toc-hId--537494515%22%20id%3D%22toc-hId--537494515%22%3EOther%20Investments%20in%20EWS%3C%2FH1%3E%0A%3CP%3EEWS%20support%20for%20application%20access%20policies%20was%20added%20to%20address%20customer%20security%20concerns.%20As%20we%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fupcoming-changes-to-exchange-web-services-ews-api-for-office-365%2Fba-p%2F608055%22%20target%3D%22_blank%22%3Eannounced%3C%2FA%3E%20in%202018%2C%20we%20won%E2%80%99t%20be%20adding%20new%20features%20to%20EWS.%20We%20strongly%20recommend%20migrating%20from%20EWS%20to%20Graph%20for%20access%20to%20Exchange%20Online%20data%2C%20as%20well%20as%20the%20latest%20features%20and%20functionality.%20For%20more%20information%20on%20how%20to%20transition%2C%20see%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper.microsoft.com%2Fgraph%2Fdocs%2Fconcepts%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EOverview%20of%20Microsoft%20Graph%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper.microsoft.com%2Fgraph%2Fdocs%2Fconcepts%2Foutlook-mail-concept-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EOverview%20of%20Outlook%20mail%20API%20on%20Microsoft%20Graph%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EWhile%20EWS%20and%20Graph%20have%20overlapping%20functionality%2C%20there%20are%20some%20differences.%20If%20you%20rely%20on%20an%20EWS%20API%20that%20does%20not%20have%20a%20Graph%20counterpart%2C%20let%20us%20know%20via%20%3CA%20href%3D%22https%3A%2F%2Fofficespdev.uservoice.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EUserVoice%3C%2FA%3E.%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId-1949992188%22%20id%3D%22toc-hId-1950018318%22%20id%3D%22toc-hId-1950018318%22%3EBasic%20Authentication%3C%2FH1%3E%0A%3CP%3EThis%20is%20also%20a%20good%20time%20to%20remind%20everyone%20that%20we%20are%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fbasic-authentication-and-exchange-online-july-update%2Fba-p%2F1530163%22%20target%3D%22_blank%22%3Eretiring%20Basic%20Authentication%20in%20Exchange%20Online%3C%2FA%3E.%20If%20you%20are%20using%20EWS%20(or%20any%20other%20email%20access%20protocol%20like%20POP%2C%20IMAP%2C%20EAS)%20in%20combination%20with%20Basic%20Auth%2C%20you%20need%20to%20make%20sure%20you%20are%20using%20OAuth%20and%20not%20Basic%20Auth.%20Furthermore%2C%20we%20strongly%20recommend%20that%20you%20modernize%20your%20apps%20and%20move%20to%20Graph.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22author%22%3EThe%20Exchange%20Team%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2110361%22%20slang%3D%22en-US%22%3E%3CP%3EAdministrators%20who%20want%20to%20limit%20the%20app%20access%20to%20a%20specific%20set%20of%20mailboxes%20can%20create%20an%20application%20access%20policy.%20Application%20access%20policy%20support%20for%20Microsoft%20Graph%20was%20released%20in%202019.%20Today%2C%20we%20are%20announcing%20that%20we%20are%20adding%20support%20for%20application%20access%20policies%20to%20Exchange%20Web%20Services%20(EWS)%20in%20response%20to%20customer%20feedback...%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2110361%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAnnouncements%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Edevelopment%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2113512%22%20slang%3D%22en-US%22%3ERe%3A%20Application%20Access%20Policy%20Support%20in%20EWS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2113512%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20always%20tought%20we%20could%20scope%20EWS%20apps%20by%20creating%20custom%20management%20scopes.%20How%20does%20this%20interacts%20with%20application%20access%20policies%20for%20EWS%20apps%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20application%20access%20policies%20used%20in%20ExO%20only%20if%20the%20EWS%20app%20authenticates%20using%20Oauth%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2113147%22%20slang%3D%22en-US%22%3ERe%3A%20Application%20Access%20Policy%20Support%20in%20EWS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2113147%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20everywhere.%20And%20anyway%2C%20Exchange%20is%20a%20at%20the%20heart%20of%20the%20graph....%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2113078%22%20slang%3D%22en-US%22%3ERe%3A%20Application%20Access%20Policy%20Support%20in%20EWS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2113078%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20news%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F149115%22%20target%3D%22_blank%22%3E%40Greg%20Taylor%20-%20EXCHANGE%3C%2FA%3E%26nbsp%3B...%20But%20my%20only%20concern%20now%20is%20are%20you%20lost%3F%20Shouldnt%20you%20be%20hitting%20up%20the%20Microsoft%20Graph%20blog%20these%20days%20%3B)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOnly%20joking%2C%20always%20great%20to%20see%20your%20updates%20!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2112841%22%20slang%3D%22en-US%22%3ERe%3A%20Application%20Access%20Policy%20Support%20in%20EWS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2112841%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F55238%22%20target%3D%22_blank%22%3E%40Jamie%20BRANDWOOD%3C%2FA%3E%26nbsp%3B-%20we'll%20have%20an%20update%20on%20Basic%20Auth%20very%20soon.%20And%20yes%2C%20100%20is%20currently%20the%20limit.%20We%20are%20investigating%20increasing%20it.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2111513%22%20slang%3D%22en-US%22%3ERe%3A%20Application%20Access%20Policy%20Support%20in%20EWS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2111513%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193997%22%20target%3D%22_blank%22%3E%40Tonino%20Bruno%3C%2FA%3E%26nbsp%3B...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERef%20your%20question%20around%20number%20of%20scoping%20policy's%20...%20based%20on%20CmdLet%20notes%20it%20is%20currentl%20100%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%3CSPAN%3EA%20limit%20of%20100%20policies%20per%20Microsoft%20365%20tenant%20is%20enforced%20as%20of%20today.%20An%20error%20message%20stating%20%22A%20tenant%20cannot%20have%20more%20than%20100%20policies.%22%20will%20be%20displayed%20if%20this%20number%20is%20exceeded.%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Fnew-applicationaccesspolicy%3Fview%3Dexchange-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Fnew-applicationaccesspolicy%3Fview%3Dexchange-ps%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWhether%20that%20will%20change%20with%20newer%20scoping%20capabilities%20i%20dont%20know%20%3A)%3C%2Fimg%3E%20im%20hoping%20so%20...%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2111502%22%20slang%3D%22en-US%22%3ERe%3A%20Application%20Access%20Policy%20Support%20in%20EWS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2111502%22%20slang%3D%22en-US%22%3E%3CP%3ENice%20article%2C%20good%20to%20see%20some%20work%20still%20happening%20to%20support%20those%20EWS%20applications%20out%20there%20...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20guess%20the%20one%20question%20that%20many%20people%20will%20ask%20off%20the%20back%20of%20this%20announcement%20and%20the%20comment%20of%20%22%3CSPAN%3EThis%20is%20also%20a%20good%20time%20to%20remind%20everyone%20that%20we%20are%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fbasic-authentication-and-exchange-online-july-update%2Fba-p%2F1530163%22%20target%3D%22_blank%22%3Eretiring%20Basic%20Authentication%20in%20Exchange%20Online%3C%2FA%3E%22%20is%20when%20will%20Basic%20Auth%20be%20retired%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESecond%20half%20of%202021%20is%20what%2C%20July%201st%20...%20do%20we%20expect%20people%20to%20plan%20for%20that%20date.%20or%20is%20there%20without%20sharing%20a%20date%20a%20minimum%20additonal%20'notice'%20period%20people%20can%20expect%20for%20retirement.%20will%20we%20get%20at%20least%206%20month%20notice%20as%20example.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlthough%20while%20saying%20that%20i%20totally%20get%20that%20it%20was%20announced%20in%20~2017%20and%20customers%20%2F%20vendors%20should%20have%20or%20be%20moving%20away%20from%20it%20already%2C%20i'm%20still%20speaking%20to%20vendors%20now%20who%20only%20found%20out%20because%20we%20asked%20the%20question%20of%20them.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnywho%2C%20love%20your%20work%20!%20stay%20safe%20%26amp%3B%20take%20care%20!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2111483%22%20slang%3D%22en-US%22%3ERe%3A%20Application%20Access%20Policy%20Support%20in%20EWS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2111483%22%20slang%3D%22en-US%22%3E%3CP%3EThat%20is%20a%20very%20welcomed%20change%2C%20thank%20you%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2F%408341BD79091AF36AA2A09063B554B5CD%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%20I%20was%20wondering%20how%20many%20scoping%20policies%20can%20we%20create%20in%20total%2C%20is%20there%20some%20hard%20limit%3F%26nbsp%3BWe%20have%20already%20about%2050%2B%20policies%20and%20we%20are%20adding%202-3%20every%20week.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2158598%22%20slang%3D%22en-US%22%3ERe%3A%20Application%20Access%20Policy%20Support%20in%20EWS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2158598%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3B!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eis%20this%20application%20access%20policy%20supports%20full_access_as_app%3F%3F%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3ESayhi2mee%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E

Administrators who want to limit the app access to a specific set of mailboxes can create an application access policy. Application access policy support for Microsoft Graph was released in 2019. Today, we are announcing that we are adding support for application access policies to Exchange Web Services (EWS) in response to customer feedback, and as a mechanism to ease customer transition from using EWS to using Graph. With EWS support for application access policies, you can now provide users with a more secure experience.

Background

Some apps make calls into EWS using their own identity and not on behalf of a user. These are usually background services or daemon apps that run on a server without requiring a signed-in user. These apps use OAuth 2.0 client credentials to authenticate, and they are configured with application permissions that enable such apps to access all mailboxes in an Exchange Online organization. Providing more granular EWS permission scopes is a common request from our EWS partners.

Using an application access policy, EWS administrators can now limit an app’s access to a specific set of mailboxes by specifying an inclusion or exclusion list. Administrators who want to limit third party app access to a specific set of mailboxes can use New-ApplicationAccessPolicy PowerShell cmdlet to configure access control. For more information about application access policies, see Scoping application permissions to specific Exchange Online mailboxes.

Other Investments in EWS

EWS support for application access policies was added to address customer security concerns. As we announced in 2018, we won’t be adding new features to EWS. We strongly recommend migrating from EWS to Graph for access to Exchange Online data, as well as the latest features and functionality. For more information on how to transition, see:

While EWS and Graph have overlapping functionality, there are some differences. If you rely on an EWS API that does not have a Graph counterpart, let us know via UserVoice.

Basic Authentication

This is also a good time to remind everyone that we are retiring Basic Authentication in Exchange Online. If you are using EWS (or any other email access protocol like POP, IMAP, EAS) in combination with Basic Auth, you need to make sure you are using OAuth and not Basic Auth. Furthermore, we strongly recommend that you modernize your apps and move to Graph.

The Exchange Team

8 Comments
Senior Member

That is a very welcomed change, thank you :smile: I was wondering how many scoping policies can we create in total, is there some hard limit? We have already about 50+ policies and we are adding 2-3 every week.

Occasional Contributor

Nice article, good to see some work still happening to support those EWS applications out there ...

 

I guess the one question that many people will ask off the back of this announcement and the comment of "This is also a good time to remind everyone that we are retiring Basic Authentication in Exchange Online" is when will Basic Auth be retired?

 

Second half of 2021 is what, July 1st ... do we expect people to plan for that date. or is there without sharing a date a minimum additonal 'notice' period people can expect for retirement. will we get at least 6 month notice as example.

 

Although while saying that i totally get that it was announced in ~2017 and customers / vendors should have or be moving away from it already, i'm still speaking to vendors now who only found out because we asked the question of them.

 

Anywho, love your work ! stay safe & take care !

Occasional Contributor

Hi @Tonino Bruno ...

 

Ref your question around number of scoping policy's ... based on CmdLet notes it is currentl 100

 

"A limit of 100 policies per Microsoft 365 tenant is enforced as of today. An error message stating "A tenant cannot have more than 100 policies." will be displayed if this number is exceeded."

 

https://docs.microsoft.com/en-us/powershell/module/exchange/new-applicationaccesspolicy?view=exchang...

 

Whether that will change with newer scoping capabilities i dont know :) im hoping so ...

@Jamie BRANDWOOD - we'll have an update on Basic Auth very soon. And yes, 100 is currently the limit. We are investigating increasing it. 

Occasional Contributor

Great news @Greg Taylor - EXCHANGE ... But my only concern now is are you lost? Shouldnt you be hitting up the Microsoft Graph blog these days ;)

 

Only joking, always great to see your updates !

I'm everywhere. And anyway, Exchange is a at the heart of the graph.... 

Senior Member

Hi there!

 

I always tought we could scope EWS apps by creating custom management scopes. How does this interacts with application access policies for EWS apps?

 

Is application access policies used in ExO only if the EWS app authenticates using Oauth?

Occasional Visitor

Hi @The_Exchange_Team !

 

is this application access policy supports full_access_as_app???

 

Regards,

Sayhi2mee