Share via

Disable Migrationwiz app access of Exchange EWS

Kannan Balakrishnan 1 Reputation point
2021-01-19T03:50:49.417+00:00

Hello forum,

In our Exchange organization we have Exchange web services (EWS) enabled for all users. Some users tried migrationwiz app to export the mailbox illegally and found succeeded. We want restrict migrationwiz app from accessing Exchange server using EWS. We tried set-casmailbox -identity username -Ewsenabled:$false command and found its breaking mailbox and disabling Out of Office notification and mailtip. Can anyone give me right way to block migrationwiz app using EWS?

Thanks,

Kannan

Exchange | Exchange Server | Management
0 comments

7 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 119.6K Reputation points MVP Volunteer Moderator
    2021-01-19T08:18:19.067+00:00

    You can toggle it off on a per-user basis via Set-CasMailbox. You can also block specific apps by using the corresponding parameters (EwsAllowList/EwsBlockList), either on per-user or org-wide basis.
    End users will not be able to export anything other their own mailbox though, which they can already do via Outlook. To export other users data, they will need EWS Impersonation permissions, and if they have those, you have bigger problems to worry about :D

    0 comments
  2. Kannan Balakrishnan 1 Reputation point
    2021-01-19T14:18:28.53+00:00

    Hi Michev,

    I understand that we can block specific app using user level or org-wide. But can you help me how to block migrationwiz or any other app at the user level. That is the basic requirement. you second comment is true, there is no point in blocking ews where we have given the mailbox access to the outlook and their mailbox items are usable by particular user.

    Thanks for your prompt reply and it helped.

    Thanks,
    Kannan

  3. Eric Yin-MSFT 4,396 Reputation points
    2021-01-20T02:04:56.93+00:00

    As michev suggests, you can try the following command for specific user to block specific app: 

    Set-Casmailbox ******@contoso.com –EWSApplicationAccessPolicy:EnforceBlockList –EWSBlockList:"Mac+OS+X/*"

    Or if you want, block all EWS application for a user: 

    Set-Casmailbox ******@contoso.com –EwsEnabled $false

    Only the speficied application is allowed to access the mailbox: 

    Set-Casmalbox ******@contoso.com -EwsApplicationAccessPolicy:EnforceAllowList -EwsAllowList:"Mac+OS+X/*"

    Reference like: https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-control-access-to-ews-in-exchange

    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  4. Kannan Balakrishnan 1 Reputation point
    2021-01-20T02:37:41.573+00:00

    Hi Eric-Yin,

    Thanks for the EMS commands that you sent. I have a question here, if I allow only "owa/" all other apps are blocked? Why I ask this question is I enable only "owa/" and enabling that would block other apps that means migrationwiz will also be blocked. I don't know what I have to put on the application name for migrationwiz.

    Set-Casmailbox tony@Company portal .com –EWSApplicationAccessPolicy:EnforceBlockList –EWSBlockList:"Migrationwiz/*"?

    Thanks,
    Kannan

  5. Kannan Balakrishnan 1 Reputation point
    2021-01-20T09:52:36.357+00:00

    Hi Eric,

    I want to add migrationwiz app to the block list and don't know what the value is for migrationwiz app. I mean what value do I need to add for the app Migrationwiz to the EWSBlocklist? How do value defined and where the value taken from? Please let me know if my question is still not clear.

    Thanks,
    Kannan

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.