If your reading this post, you were probably asked by your security team to block a certain app or apps from accessing Office 365 (Exchange Online). There are all kinds of security reasons that you would need to block applications from using Exchange Web Services (EWS). I am in no way picking on any one application, the one shown in the post below just happens to be the one that I was asked to block by a client. Their security team reviewed the app and it didn’t meet their corporate security policy.
In order to block EWS applications, we need to use the Set-OrganizationConfig command, and then specify two EWS parameters.
Let’s first review your organization and see if you have a Block List setting and if there are applications in there.
Connect to Exchange Online with PowerShell
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Verify Existing Settings
Get-OrganizationConfig |ft Name,EwsApplicationAccessPolicy,EwsBlockList,EwsAllowList
From the results above we can see that the EwsApplicationAccessPolicy is not set and there is nothing in the EwsBlockList or the EwsAllowList
Understand the Process (EwsApplicationAccessPolicy and EwsBlockList or EwsAllowList)
There are two basic methods to blocking applications. Most companies that I work with want to allow everything and target specific apps to block.
You can block everything except everything on the allow list; EnforceAllowList
You can allow everything and except what’s on the block list; EnforceBlockList
-EwsApplicationAccessPolicy <EnforceAllowList | EnforceBlockList>
The EwsApplicationAccessPolicy parameter defines which applications other than Entourage, Mac Outlook, and Outlook can access EWS. If set to EnforceAllowList, only applications specified in the EwsAllowList parameter are allowed access to EWS. If set to EnforceBlockList, every application is allowed access to EWS except the ones specified in the EwsBlockList parameter.
The EwsBlockList parameter specifies the applications that can’t access EWS when the EwsApplicationAccessPolicy parameter is set to EnforceBlockList.
The EwsAllowList parameter specifies the applications (user agent strings) that can access EWS when the EwsApplicationAccessPolicy parameter is set to EnforceAllowList.
Enable the Block List and add an Application
This method will show how to allow all applications (that use EWS) and only block ones on the block list. You’ll see the command to block a specific application and then the confirmation command after.
Set-OrganizationConfig –EwsApplicationAccessPolicy:EnforceBlockList –EwsBlockList:”CloudMagic*”
Given some replication and policy time the user will see this.
Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.
Kelsey Epps Office365 MVP