cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Application Access Policy Support in EWS
By
The_Exchange_Team
Published Feb 02 2021 08:56 AM 38.6K Views
The_Exchange_Team
Microsoft
‎Feb 02 2021 08:56 AM

Application Access Policy Support in EWS

‎Feb 02 2021 08:56 AM

Administrators who want to limit the app access to a specific set of mailboxes can create an application access policy. Application access policy support for Microsoft Graph was released in 2019. Today, we are announcing that we are adding support for application access policies to Exchange Web Services (EWS) in response to customer feedback, and as a mechanism to ease customer transition from using EWS to using Graph. With EWS support for application access policies, you can now provide users with a more secure experience.

Background

Some apps make calls into EWS using their own identity and not on behalf of a user. These are usually background services or daemon apps that run on a server without requiring a signed-in user. These apps use OAuth 2.0 client credentials to authenticate, and they are configured with application permissions that enable such apps to access all mailboxes in an Exchange Online organization. Providing more granular EWS permission scopes is a common request from our EWS partners.

Using an application access policy, EWS administrators can now limit an app’s access to a specific set of mailboxes by specifying an inclusion or exclusion list. Administrators who want to limit third party app access to a specific set of mailboxes can use New-ApplicationAccessPolicy PowerShell cmdlet to configure access control. For more information about application access policies, see Scoping application permissions to specific Exchange Online mailboxes.

Other Investments in EWS

EWS support for application access policies was added to address customer security concerns. As we announced in 2018, we won’t be adding new features to EWS. We strongly recommend migrating from EWS to Graph for access to Exchange Online data, as well as the latest features and functionality. For more information on how to transition, see:

While EWS and Graph have overlapping functionality, there are some differences. If you rely on an EWS API that does not have a Graph counterpart, let us know via UserVoice.

Basic Authentication

This is also a good time to remind everyone that we are retiring Basic Authentication in Exchange Online. If you are using EWS (or any other email access protocol like POP, IMAP, EAS) in combination with Basic Auth, you need to make sure you are using OAuth and not Basic Auth. Furthermore, we strongly recommend that you modernize your apps and move to Graph.

The Exchange Team

12 Comments
Tonino Bruno
Brass Contributor
‎Feb 02 2021 09:31 AM
‎Feb 02 2021 09:31 AM

That is a very welcomed change, thank you :smile: I was wondering how many scoping policies can we create in total, is there some hard limit? We have already about 50+ policies and we are adding 2-3 every week.

0 Likes
Like
DevOpsMaverick
Brass Contributor
‎Feb 02 2021 09:36 AM
‎Feb 02 2021 09:36 AM

Nice article, good to see some work still happening to support those EWS applications out there ...

 

I guess the one question that many people will ask off the back of this announcement and the comment of "This is also a good time to remind everyone that we are retiring Basic Authentication in Exchange Online" is when will Basic Auth be retired?

 

Second half of 2021 is what, July 1st ... do we expect people to plan for that date. or is there without sharing a date a minimum additonal 'notice' period people can expect for retirement. will we get at least 6 month notice as example.

 

Although while saying that i totally get that it was announced in ~2017 and customers / vendors should have or be moving away from it already, i'm still speaking to vendors now who only found out because we asked the question of them.

 

Anywho, love your work ! stay safe & take care !

0 Likes
Like
DevOpsMaverick
Brass Contributor
‎Feb 02 2021 09:41 AM
‎Feb 02 2021 09:41 AM

Hi @Tonino Bruno ...

 

Ref your question around number of scoping policy's ... based on CmdLet notes it is currentl 100

 

"A limit of 100 policies per Microsoft 365 tenant is enforced as of today. An error message stating "A tenant cannot have more than 100 policies." will be displayed if this number is exceeded."

 

https://docs.microsoft.com/en-us/powershell/module/exchange/new-applicationaccesspolicy?view=exchang...

 

Whether that will change with newer scoping capabilities i dont know :) im hoping so ...

Greg Taylor - EXCHANGE
Microsoft
‎Feb 03 2021 08:25 AM
‎Feb 03 2021 08:25 AM

@DevOpsMaverick - we'll have an update on Basic Auth very soon. And yes, 100 is currently the limit. We are investigating increasing it. 

DevOpsMaverick
Brass Contributor
‎Feb 03 2021 10:09 AM
‎Feb 03 2021 10:09 AM

Great news @Greg Taylor - EXCHANGE ... But my only concern now is are you lost? Shouldnt you be hitting up the Microsoft Graph blog these days ;)

 

Only joking, always great to see your updates !

0 Likes
Like
Greg Taylor - EXCHANGE
Microsoft
‎Feb 03 2021 10:26 AM
‎Feb 03 2021 10:26 AM

I'm everywhere. And anyway, Exchange is a at the heart of the graph.... 

momurray
Brass Contributor
‎Feb 03 2021 06:28 PM
‎Feb 03 2021 06:28 PM

Hi there!

 

I always tought we could scope EWS apps by creating custom management scopes. How does this interacts with application access policies for EWS apps?

 

Is application access policies used in ExO only if the EWS app authenticates using Oauth?

0 Likes
Like
sayhi2mee
Copper Contributor
‎Feb 23 2021 02:37 AM
‎Feb 23 2021 02:37 AM

Hi @The_Exchange_Team !

 

is this application access policy supports full_access_as_app???

 

Regards,

Sayhi2mee

 

0 Likes
Like
Earl Zirkle
Iron Contributor
‎Aug 24 2022 08:02 AM
‎Aug 24 2022 08:02 AM

Hello, is the limit of access policies per tenant 100? The powershell cmdlet article suggests it is.

https://docs.microsoft.com/en-us/powershell/module/exchange/new-applicationaccesspolicy?view=exchang...

0 Likes
Like
Nick_Elder
Microsoft
‎Aug 24 2022 02:40 PM
‎Aug 24 2022 02:40 PM

@momurray You're right - this affects only OAuth for app-only authentication. 

 

@sayhi2mee that is correct.

 

@Earl Zirkle the article you linked is more up to date than this blog post, you can now create ~300 policies per tenant. But we're also working on a more scalable model. 

Earl Zirkle
Iron Contributor
‎Aug 24 2022 02:50 PM
‎Aug 24 2022 02:50 PM

Thanks @Nick_Elder! Glad to hear the Exchange team is making it more scalable.

 

One more question. Will the -PolicyScopeGroupID accept a user or group? The documentation suggests it does.

0 Likes
Like
Nick_Elder
Microsoft
‎Aug 24 2022 03:17 PM
‎Aug 24 2022 03:17 PM

@Earl Zirkle It accepts Mail-Enabled Security Groups and users. I've just double checked that I can use a single user. 

 

From the docs:

The PolicyScopeGroupID parameter specifies the recipient to define in the policy. You can use any value that uniquely identifies the recipient. You can also specify a mail enabled security group to restrict/deny access to more than one user mailbox

0 Likes
Like
Co-Authors
Version history
Last update:
‎Feb 02 2021 09:37 AM
Updated by: