Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Find out how to control access to EWS for users, applications, or the entire organization.
Whether you are using the EWS Managed API, or EWS directly, in your application, you can control access to Exchange Web Services (EWS). If you have administrator access to your Exchange server, you can manage access to EWS by using the Exchange Management Shell to control access globally, for each user, and for each application. For more information, see Connect to Exchange servers using remote PowerShell.
Exchange Management Shell cmdlets for configuring access control
You can use the following Exchange Management Shell cmdlets to view the current access configuration and set EWS access controls:
- Get-CASMailbox - Shows you what parameters are set for a particular mailbox.
- Set-CASMailbox - Sets parameters for a particular mailbox.
- Get-OrganizationConfig - Shows you the parameters for the entire organization.
- Set-OrganizationConfig - Sets the parameters for the entire organization.
Note
The way the EWSEnabled parameter operates will change in October 2026 due to the EWS Deprecation. For more information, see Exchange Online EWS, Your Time is Almost Up.
Examples: Controlling access to EWS
Let's take a look at a few scenarios that show you how you can control access to your application.
Table 1. Commands for controlling access to EWS
| If you want to | Use this command |
|---|---|
| Block all client applications from using EWS. | Set-OrganizationConfig -EwsApplicationAccessPolicy:EnforceAllowListThis allows applications listed in the AllowList to connect. In this example, no applications are included in the AllowList, so no applications can use EWS. |
| Allow a list of client applications to use EWS (Based on User Agent). | Set-OrganizationConfig -EwsApplicationAccessPolicy:EnforceAllowList -EwsAllowList:"OWA/*"This allows specific applications to use EWS. In this example, any application that has a user agent string that starts with "OWA/" is allowed access. |
| Allow a list of client applications to use EWS (Based on Application ID). | Set-OrganizationConfig -EwsAllowedAppIDs "11111111-2222-3333-4444-555555555555,aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"When EWSEnabled is set to True, only the Application IDs in this list can use EWS. |
| Allow all client applications to use EWS except those that are specifically blocked (Based on User Agent). | Set-OrganizationConfig -EwsApplicationAccessPolicy:EnforceBlockList -EwsBlockList:"OWA/*"This example only blocks applications from using EWS that have a user agent string that starts with "OWA/". |
| Allow all client applications to use EWS. | Set-OrganizationConfig -EwsApplicationAccessPolicy:EnforceBlockList Because no BlockList is specified, all applications can use EWS unless blocked by Application ID. |
| Block the entire organization from using EWS. | Set-OrganizationConfig -EwsEnabled:$false Important: Disabling EWS in the organization also disables per-user EWS overrides. |
| Allow the entire organization to use EWS. | Set-OrganizationConfig -EwsEnabled:$true Important: The default value Null is treated as EwsEnabled set to True. |
| Block an individual mailbox from using EWS. | Set-CASMailbox -Identity adam@contoso.com -EwsEnabled:$false |
| Allow an individual mailbox to use EWS. | Set-CASMailbox -Identity adam@contoso.com -EwsEnabled:$true |