Application Access Policy in EWS with Modern Authentication

When using Modern Authentication for AskCody Exchange integration it is relevant to consider scoping options in Exchange Web Services.

AskCody is built as a Microsoft EWS Application, meaning that the authentication options are both Basic Authentication and Modern Authentication (OAuth 2.0). Announcements from Microsoft regarding the shift towards Modern authentication and plans for Retirement of basic authentication have further set a focus on the scoping options using Modern Authentication.  Previously only Basic authentication offered a way to scope access to certain mailboxes. Now Microsoft has added support for Application access policies for EWS meaning that it is now possible to set the Access Policies for the AskCody Modern Authentication application. 

How do I configure Application Access Policies?

Configuring Application Access Policy requires a connection to exchange online via PowerShell.

The AskCody Modern Auth application will appear under Enterprise applications in the Azure portal as AskCody EWS. In the application list, the Application ID will appear in the list.

azure application_cut-1

The Application ID (AppID) for the AskCody Application (Modern authentication) is needed for setting the ApplicationAccessPolicy. By doing this it is important to make sure what resources are needed for the scope ie. what mailboxes does the AskCody EWS application needs to access.

Seen below is the standard PowerShell command for setting a new ApplicationAccessPolicy for a given Application.

New-ApplicationAccessPolicy -AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b -PolicyScopeGroupId -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group EvenUsers."

Where can I learn more?

To learn more on how to set up ApplicationAccessPolicy watch the webinar we did on this topic (Click on Join webinar to watch) or read the full documentation and guide from Microsoft.

Learn how to switch from Basic Auth to Modern Auth in the AskCody Portal in this article.

Microsoft released a blog post about the decision to provide this functionality and their take on EWS in general.