In this excerpt from Office 365 for Exchange Professionals we look at the controls that are available to you for managing Exchange Web Services.
Exchange Web Services (EWS) is an API that enables client applications to communicate with Exchange Online. Applications can use EWS to retrieve information from Exchange Online services, or to interact with data in Exchange Online mailboxes. For example, an EWS application can retrieve information about calendar items for room mailboxes to determine which items might have an organizer who no longer works for the company.
EWS is also used by Microsoft Outlook for calendar free/busy information, Out of Office settings, calendar sharing, and other features such as MailTips. In general it is a useful protocol, but as with any protocol used to access Exchange Online there are controls available for administrators to use for a variety of scenarios. EWS controls can be managed at the mailbox level or the organization level.
PS C:\> Get-CASMailbox Alan.Reid | fl ews* EwsEnabled : True EwsAllowOutlook : EwsAllowMacOutlook : EwsAllowEntourage : EwsApplicationAccessPolicy : EwsAllowList : EwsBlockList : PS C:\> Get-OrganizationConfig | fl ews* EwsAllowEntourage : EwsAllowList : EwsAllowMacOutlook : EwsAllowOutlook : EwsApplicationAccessPolicy : EwsBlockList : EwsEnabled :
Using the EWS allow or block list
In June of 2013 LinkedIn was found to have implemented a feature that invited users to enter their corporate email credentials on the LinkedIn website. LinkedIn would then connect to the person’s corporate email account and scrape it for email addresses to suggest them as potential contacts that should be invited to connect on LinkedIn. The connection from LinkedIn made use of Exchange Web Services and highlighted the need to monitor and control EWS access to Exchange on-premises and Exchange Online.
Disabling the entire EWS protocol because of one unapproved example of application access would deny your organization the many good things that EWS allows. Fortunately, we can be selective in what we block or allow for EWS by configuring an EWS application access policy. The EWS application access policy can be configured on a per-mailbox basis, or configured for the entire organization.
Continuing with the example of LinkedIn, to block EWS access by the LinkedIn user agent for the entire organization there are two steps required that use the Set-OrganizationConfig cmdlet. First, set the EWSApplicationAccessPolicy to enforce the block list.
PS C:\> Set-OrganizationConfig -EwsApplicationAccessPolicy EnforceBlockList
Next, add the LinkedIn user agent to the EWS block list.
PS C:\> Set-OrganizationConfig -EwsBlockList @{add='LinkedInEWS'} The EWS block list is a multi-value attribute so it should be managed using add/remove methods to avoid overwriting existing values when you are making modifications. For example, to also add the OWA for Devices user agent to the block list you would run this command.
PS C:\> Set-OrganizationConfig -EwsBlockList @{add='MOWAHost*'}
PS C:\> Get-OrganizationConfig | fl ewsblocklist
EwsBlockList : {MOWAHost*, LinkedInEWS}
Similarly, to remove an entry you would run this command.
PS C:\> Set-OrganizationConfig -EwsBlockList @{remove='MOWAHost*'}
PS C:\> Get-OrganizationConfig | fl ewsblocklist
EwsBlockList : {LinkedInEWS}
Unlike ActiveSync device access rules the strings used for EWS block and allow lists can use wildcards for partial matches. However there is no quarantine action available, only allow or block.
The example above blocks LinkedIn EWS access for the entire organization. If you only wanted to block it for a single mailbox user the same process would be used, but the Set-CASMailbox cmdlet would be used instead of Set-OrganizationConfig. Enforcing a block list will permit any EWS application that is not in the block list to connect. A more restrictive approach is to enforce an allow list instead, which requires that any EWS applications be listed in the allow list before they can connect.
PS C:\> Set-OrganizationConfig -EwsApplicationAccessPolicy EnforceAllowList
Enforcing a block or allow list for EWS has no impact on the Entourage, Outlook for Mac, or Microsoft Outlook applications. These applications are controlled with different EWS settings which are discussed next.
Blocking/allowing Mac clients
There are two separate Mac clients that use Exchange Web Services for connecting to Exchange Online; Entourage and Mac Outlook. Entourage is the oldest of these, with the Web Services Edition released in 2008 to allow connectivity to Exchange Server 2007 using EWS. Prior to that Entourage used WebDAV, which was deprecated in Exchange Server 2007 and removed entirely starting with Exchange Server 2010. Mac Outlook is the version of Outlook that ships with Office for Mac 2011, but also refers to the newer version of Mac Outlook that is currently in Public Preview and due for release with Office 2016 for Mac.
The use of Apple Mac computers is common in many corporate and education sectors, however some organizations will have reasons to block the use of Mac email clients. For example, an enterprise that permits BYOD may choose to block Entourage and Mac Outlook and require those users to instead make use of Outlook Web App or Outlook delivered using an application virtualization infrastructure.
The Mac clients are allowed by default and can be blocked using Set-CASMailbox or Set-OrganizationConfig. For example, to block both Mac clients for a mailbox user you would run the following command.
PS C:\> Set-CASMailbox Alan.Reid -EwsAllowEntourage $false -EwsAllowMacOutlook $false
Other uses for EWS
Exchange Web Services is used by many organizations for custom application development, such as creating integrations between Exchange Online and their in-house line of business applications. It is also the API used for integration between Exchange Online and other Microsoft services such as Skype for Business and SharePoint Online. EWS applications can send and receive email messages, manage calendar items, and a whole lot more.
EWS is also used by many third party migration tools as the protocol for accessing Exchange Online mailboxes. In addition, an ecosystem of “cloud backup” products is starting to grow, using EWS as the access protocol for backing up mailbox items from Exchange Online to cloud storage, meeting the needs of many organizations who would like to make use of Office 365 but are concerned about backup and recovery.
Learn more about managing client access to Exchange Online in Office 365 for Exchange Professionals.
This article Managing Exchange Web Services in Office 365 is © 2015 ExchangeServerPro.com
Get more Exchange Server tips at ExchangeServerPro.com
