How to: Control access to EWS in Exchange

Find out how to control access to EWS for users, applications, or the entire organization.

Last modified: January 13, 2014

Applies to: Exchange Online | Exchange Server 2013 | Office 365

In this article
Exchange Management Shell cmdlets for configuring access control
Examples: Controlling access to EWS
Additional resources

Whether you are using the EWS Managed API, or EWS directly, in your application, you can control access to Exchange Web Services (EWS). If you have administrator access to your Exchange server, you can manage access to EWS by using the Exchange Management Shell to control access globally, for each user, and for each application.

You can use the following Exchange Management Shell cmdlets to view the current access configuration and set EWS access controls:

Let’s take a look at a few scenarios that show you how you can control access to your application.

Table 1.  Commands for controlling access to EWS

If you want to…

Command to use

Block all client applications from using EWS.

Set-OrganizationConfig –EwsApplicationAccessPolicy:EnforceAllowList

This allows applications listed in the AllowList to connect. In this example, no applications are included in the AllowList, so no applications can use EWS.

Allow a list of client applications to use EWS.

Set-OrganizationConfig –EwsApplicationAccessPolicy:EnforceAllowList –EwsAllowList:"OWA/*"

This allows specific applications to use EWS. In this example, any application that has a user agent string that starts with "OWA/" is allowed access.

Allow all client applications to use EWS except those that are specifically blocked.

Set-OrganizationConfig –EwsApplicationAccessPolicy:EnforceBlockList –EwsBlockList:"OWA/*"

This example only blocks applications from using EWS that have a user agent string that starts with "OWA/".

Allow all client applications to use EWS.

Set-OrganizationConfig –EwsApplicationAccessPolicy:EnforceBlockList

Because no BlockList is specified, all applications can use EWS.

Block the entire organization from using EWS.

Set-OrganizationConfig -EwsEnabled:$false

Allow the entire organization to use EWS.

Set-OrganizationConfig -EwsEnabled:$true

Block an individual mailbox from using EWS.

Set-CASMailbox –Identity adam@contoso.com -EwsEnabled:$false

Allow an individual mailbox to use EWS.

Set-CASMailbox –Identity adam@contoso.com -EwsEnabled:$true
Show:
© 2014 Microsoft