Next, you should add an item to your BlockList or AllowList. Set-OrganizationConfig -EwsApplicationAccessPolicy EnforceAllowList Step Four: Add an item to your BlockList / AllowList Set-OrganizationConfig -EwsApplicationAccessPolicy EnforceBlockList Option two: AllowList In this step, we will enable one of the following, either an AllowList, or a BlockList. Get-OrganizationConfig | select -ExpandProperty EWSBlockList Step Three: Enable your BlockList or AllowList Get-OrganizationConfig | select -ExpandProperty EWSAllowList Next, you’ll be interested in viewing your current EWS Allow List with the following command: Import-PSSession $Session Step Two: View your current configuration $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection If you haven’t done so before, here’s a quick snippet for connecting to PowerShell: $UserCredential = Get-Credential This is documented via the following link: Set-OrganizationConfig (exchange) Step One: Connecting to PowerShell The following commands will operate under the Set-OrganizationConfigmodule. Any application (even if you meant to authorize it!) which has not been explicitly allowed access on the whitelist will be denied. The more thorough / complex way of securing your tenant is to create a whitelist, and only allow specific agents (Outlook, Outlook Web Access, Skype, Lync, Teams, Etc.) access to your tenant. For example, if you want to block your users from authorizing LinkedIn to scrape your inbox to gather contacts, you can block the User-Agent LinkedInEWS. Block Lists (The Blacklisting method)Ī BlockList denies access to a specific UserAgent (or third-party service) attempting to connect to your tenant. Key concepts: BlockList vs AllowListįor your organization, you will need to decide whether your problem can be solved with a BlockList (easiest), or an AllowList (more complex, but more secure). a determined hacker can spoof any user agent they like, including known user agents you will likely need to whitelist, including the Outlook client). NOTE: this is set by the client, so it should not be used as a primary security mechanism (i.e. This access control list will allow or deny an application making a request to Exchange Web Services based on it’s User-Agent header. This can be a more granular set of controls than the ability to deny access to all third-party apps in Azure Active Directory, or used to achieve a variety of other access control goals. Office 365 inherits a set of access controls from Exchange Web Services grouped under EwsApplicationAccessPolicy, which allow you to whitelist or blacklist specific user agents from accessing Exchange Web Services. A Quick set of PowerShell examples to create and manage blacklisting / whitelisting of Third-Party Application Access to Office 365 / Exchange Web Services
0 kommentar(er)
