The Application Access Policy feature enables an administrator to enforce access control to an AppOnly app to a specific set of mailboxes. We previously introduced Application Access Policy support for Microsoft Graph, and we are now adding Application Access Policy support to Exchange Web Services (EWS) in Exchange Online, in response to customer feedback and as a mechanism to ease transition from EWS to Microsoft Graph.
Some apps call EWS using their own identity and not on behalf of a user. These are usually background services or daemon apps that run on a server without the presence of a signed-in user. These apps make use of OAuth 2.0 client credentials grant flow to authenticate and are configured with application permissions (or AppOnly permissions). EWS supports AppOnly access via “full_access_as_app” scope. This scope enables a client application with EWS access to impersonate all the mailboxes within a customer’s organization. Without this new feature, administrators do not have a way to scope the EWS AppOnly application’s impersonation access to a specific set of mailboxes. Providing the ability to have more fine-grained EWS permission scopes is a common request that we’ve heard from our EWS partners.
Application Access Policy
With support for Application Access Policies in EWS, administrators can now limit an AppOnly app’s access to a specific set of mailboxes by specifying an inclusion or exclusion list. Administrators who want to limit the 3rd party app access to a specific set of mailboxes can use the Application Access Policy PowerShell cmdlets to configure access control. The following pages describe the functionality of Application Access Policy feature in detail.
No (Other) New Investments in EWS
We announced in 2018 that there wouldn’t be any new feature updates to EWS. We added this support to address customer security concerns.
As there are no new feature investments in EWS, we strongly suggest migrating to Microsoft Graph to access Exchange Online data and gain access to the latest features and functionality. For more information and details on how to make the transition, please refer to the following articles:
While EWS and Microsoft Graph have mostly overlapping functionality, there are some differences. If you rely on an EWS API that does not have a Microsoft Graph counterpart, please let us know via UserVoice of features needed for your app scenarios.
This is also a good time to remind everyone that we are retiring Basic Authentication in Exchange Online; if you are using EWS or any other email access protocol like POP, IMAP or EAS in combination with Basic Auth, you need to make sure you are using OAuth and not Basic Authentication. Furthermore, we strongly recommend that you modernize your apps and move to Microsoft Graph.
With the new Application Access Policy, you’ll be able to provide users a more secure experience using EWS. Learn more here.
The Exchange Team