{"id":5926,"date":"2021-02-05T14:39:56","date_gmt":"2021-02-05T22:39:56","guid":{"rendered":"https:\/\/officedevblogs.wpengine.com\/?p=5926"},"modified":"2021-11-17T12:40:35","modified_gmt":"2021-11-17T20:40:35","slug":"application-access-policy-support-added-to-exchange-web-services","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/application-access-policy-support-added-to-exchange-web-services\/","title":{"rendered":"Application Access Policy Support Added to Exchange Web Services in Exchange Online"},"content":{"rendered":"

The Application Access Policy feature enables an administrator to enforce access control to an AppOnly app to a specific set of mailboxes. We previously introduced Application Access Policy support for Microsoft Graph, and we are now adding Application Access Policy support to Exchange Web Services (EWS) in Exchange Online, in response to customer feedback and as a mechanism to ease transition from EWS to Microsoft Graph.<\/span>\u00a0<\/span><\/p>\n

Background<\/span>\u00a0<\/span><\/h4>\n

Some apps call EWS using their own identity and not on behalf of a user. These are usually background services or daemon apps that run on a server without the presence of a signed-in user. These apps make use of OAuth 2.0 client credentials grant flow to authenticate and are configured with application permissions (or\u00a0AppOnly\u00a0permissions). EWS supports\u00a0AppOnly\u00a0access via \u201cfull_access_as_app\u201d scope. This scope enables a client application with EWS access to impersonate\u00a0all\u00a0the\u00a0mailboxes within a customer\u2019s organization.\u00a0Without this new feature, administrators do not have a way to scope the EWS\u00a0AppOnly\u00a0application\u2019s impersonation access to a specific set of mailboxes.\u00a0Providing the ability to have more fine-grained EWS\u00a0permission\u00a0scopes\u00a0is a common request that we\u2019ve heard from our EWS partners.<\/span>\u00a0<\/span><\/p>\n

Application Access Policy<\/span>\u00a0<\/span><\/h4>\n

With\u00a0support for\u00a0Application Access\u00a0Policies\u00a0in EWS,\u00a0administrators\u00a0can\u00a0now limit an\u00a0AppOnly\u00a0app\u2019s access\u00a0to a specific set of mailboxes by specifying an inclusion or exclusion list.<\/span>\u00a0Administrators who want to limit the 3<\/span>rd<\/span>\u00a0party app access to a specific set of mailboxes can use the Application Access Policy PowerShell cmdlets to configure access control.\u00a0The following pages describe the functionality of Application\u00a0Access\u00a0Policy feature in detail.\u00a0<\/span>\u00a0<\/span><\/p>\n