Office 365

How to Limit Third-Party Application Access to Exchange & Office 365 Services via EwsApplicationAccessPolicy, EnforceAllowList, and EnforceBlockList

A Quick set of PowerShell examples to create and manage blacklisting / whitelisting of Third-Party Application Access to Office 365 / Exchange Web Services

James Futhey

3 min read
How to Limit Third-Party Application Access to Exchange & Office 365 Services via EwsApplicationAccessPolicy, EnforceAllowList, and EnforceBlockList

A Quick set of PowerShell examples to create and manage blacklisting / whitelisting of Third-Party Application Access to Office 365 / Exchange Web Services

Office 365 inherits a set of access controls from Exchange Web Services grouped under EwsApplicationAccessPolicy, which allow you to whitelist or blacklist specific user agents from accessing Exchange Web Services. This can be a more granular set of controls than the ability to deny access to all third-party apps in Azure Active Directory, or used to achieve a variety of other access control goals.

This access control list will allow or deny an application making a request to Exchange Web Services based on it’s User-Agent header. NOTE: this is set by the client, so it should not be used as a primary security mechanism (i.e. a determined hacker can spoof any user agent they like, including known user agents you will likely need to whitelist, including the Outlook client).

Key concepts: BlockList vs AllowList

For your organization, you will need to decide whether your problem can be solved with a BlockList (easiest), or an AllowList (more complex, but more secure).

Block Lists (The Blacklisting method)

A BlockList denies access to a specific UserAgent (or third-party service) attempting to connect to your tenant. For example, if you want to block your users from authorizing LinkedIn to scrape your inbox to gather contacts, you can block the User-Agent LinkedInEWS.

Allow Lists (The Whitelisting method)

The more thorough / complex way of securing your tenant is to create a whitelist, and only allow specific agents (Outlook, Outlook Web Access, Skype, Lync, Teams, Etc.) access to your tenant. Any application (even if you meant to authorize it!) which has not been explicitly allowed access on the whitelist will be denied.

Set-OrganizationConfig PowerShell Module

The following commands will operate under the Set-OrganizationConfig module. This is documented via the following link: Set-OrganizationConfig (exchange)

Step One: Connecting to PowerShell

If you haven’t done so before, here’s a quick snippet for connecting to PowerShell:

Connect-ExchangeOnline -ShowBanner:$false -Device

Step Two: View your current configuration

Next, you’ll be interested in viewing your current EWS Allow List with the following command:

Get-OrganizationConfig | select -ExpandProperty EWSAllowList

Or get your current Block List:

Get-OrganizationConfig | select -ExpandProperty EWSBlockList

Step Three: Enable your BlockList or AllowList

In this step, we will enable one of the following, either an AllowList, or a BlockList. You cannot enable both.

Option one: BlockList

Set-OrganizationConfig -EwsApplicationAccessPolicy EnforceBlockList

Option two: AllowList

Set-OrganizationConfig -EwsApplicationAccessPolicy EnforceAllowList

Step Four: Add an item to your BlockList / AllowList

Next, you should add an item to your BlockList or AllowList. Commands below:

Add Item to BlockList

This example adds a BlockList item to deny access to any User-Agent which begins with the string LinkedInEWS (the asterisk is used as a wildcard match):

Set-OrganizationConfig -EwsBlockList @{add='LinkedInEWS*'}

Add Item to AllowList

This example whitelists an item by adding it to a new or existing AllowList:

Set-OrganizationConfig -EwsAllowList @{add='MeetingRoom365/*'}

That’s it!

These settings may take a few minutes (up to an hour) to propagate.

Bonus: Some Common AllowList Items

As a small bonus, here are a small list of commonly whitelisted items you may need to consider adding to your AllowList, if your organization is attempting to adopt an EWSAllowList system:

###############################################
# Web Browsers (all common browser UserAgent 
# strings begin with Mozilla, not just Firefox)
###############################################
Mozilla/*

###############################################
# Desktop Apps
###############################################
ExchangeServicesClient/*
OWA/*
Microsoft Office/*
Microsoft+Office/*

###############################################
# Microsoft Apps
###############################################
LYNC/*
AndroidLync
Outlook-iOS/*
Outlook-Android/*
AndroidLync/*
iPhoneLync/*

###############################################
# Polycom Phones
###############################################
PolycomGroup/*
1.0 Polycom

Read More

https://blogs.technet.microsoft.com/canitpro/2016/04/06/step-by-step-blocking-outside-apps-from-accessing-exchange-web-services/

https://practical365.com/exchange-server/managing-exchange-web-services-in-office-365/