Control access to EWS in Exchange
Find out how to control access to EWS for users, applications, or the entire organization.
Whether you are using the EWS Managed API, or EWS directly, in your application, you can control access to Exchange Web Services (EWS). If you have administrator access to your Exchange server, you can manage access to EWS by using the Exchange Management Shell to control access globally, for each user, and for each application.
Exchange Management Shell cmdlets for configuring access control
You can use the following Exchange Management Shell cmdlets to view the current access configuration and set EWS access controls:
- Get-CASMailbox - Shows you what parameters are set for a particular mailbox.
- Set-CASMailbox - Sets parameters for a particular mailbox.
- Get-OrganizationConfig - Shows you the parameters for the entire organization.
- Set-OrganizationConfig - Sets the parameters for the entire organization.
Examples: Controlling access to EWS
Let's take a look at a few scenarios that show you how you can control access to your application.
Table 1. Commands for controlling access to EWS
| If you want to | Use this command |
|---|---|
| Block all client applications from using EWS. | Set-OrganizationConfig -EwsApplicationAccessPolicy:EnforceAllowListThis allows applications listed in the AllowList to connect. In this example, no applications are included in the AllowList, so no applications can use EWS. |
| Allow a list of client applications to use EWS. | Set-OrganizationConfig -EwsApplicationAccessPolicy:EnforceAllowList -EwsAllowList:"OWA/*"This allows specific applications to use EWS. In this example, any application that has a user agent string that starts with "OWA/" is allowed access. |
| Allow all client applications to use EWS except those that are specifically blocked. | Set-OrganizationConfig -EwsApplicationAccessPolicy:EnforceBlockList -EwsBlockList:"OWA/*"This example only blocks applications from using EWS that have a user agent string that starts with "OWA/". |
| Allow all client applications to use EWS. | Set-OrganizationConfig -EwsApplicationAccessPolicy:EnforceBlockList Because no BlockList is specified, all applications can use EWS. |
| Block the entire organization from using EWS. | Set-OrganizationConfig -EwsEnabled:$false |
| Allow the entire organization to use EWS. | Set-OrganizationConfig -EwsEnabled:$true |
| Block an individual mailbox from using EWS. | Set-CASMailbox -Identity adam@contoso.com -EwsEnabled:$false |
| Allow an individual mailbox to use EWS. | Set-CASMailbox -Identity adam@contoso.com -EwsEnabled:$true |