Prerequisites:
- First, install PowerShell if you haven’t already. https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell?view=powershell-7.1
Understanding Office 365’s Access Policies:
- Office 365 inherits a set of access controls from Exchange Web Services grouped under the EwsApplicationAccessPolicy, which allows you to whitelist or blacklist specific user agents from accessing Exchange Web Services.
- This helps to achieve a more granular set of controls than the ability to deny access to all third-party apps in Azure Active Directory.
- This access control list will allow or deny an application making a request to Exchange Web Services based on its User-Agent header.
- You can set access policies for “Block List” and “Allow List”
- Block Lists (EwsBlockList)
-
-
-
- A Block List denies access to a specific User Agent (or third-party service) attempting to connect to your tenant.
-
-
- Allow Lists (EwsAllowList)
-
-
-
- The more complex way of securing your tenant is to create a whitelist, and only allow specific agents (Outlook, Skype, Teams, Calendar, Etc.) access to your tenant. Any application which has not been explicitly allowed access on the whitelist will be denied.
-
-
Steps:
- Connecting to PowerShell.
If you haven’t done so before, here’s a quick snippet for connecting to PowerShellPS> $UserCredential = Get-Credential
PS> $O365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $userCredential -Authentication Basic –AllowRedirection
PS> Import-PSSession $O365Session –AllowClobber -DisableNameChecking
- Verify existing access policy method
PS> Get-OrganizationConfig | select EwsApplicationAccessPolicy
- Update your policy to allow Calendar.com. This is based on the output from the previous step:
-
- If the Access policy is set to EnforceAllowList
- view your current EWS Allow List
PS> Get-OrganizationConfig | select -ExpandProperty EWSAllowList
- If Calendar.com‘s user agent is not whitelisted then run:
PS> Set-OrganizationConfig -EwsAllowList @{add='calendar.com'}
- view your current EWS Allow List
- OR, If Access policy is set to EnforceBlockList
- view your current EWS Block List
PS> Get-OrganizationConfig | select -ExpandProperty EWSBlockList
- If Calendar.com’s user agent is block listed then run:
PS> Set-OrganizationConfig -EwsBlockList @{remove='calendar.com'}
- view your current EWS Block List
- If the Access policy is set to EnforceAllowList
That’s it!
These settings may take a few minutes (up to an hour) to propagate.
Comments
0 comments
Please sign in to leave a comment.