From cefba7c362715c3ba8bbb2a0a373ee81ac810f91 Mon Sep 17 00:00:00 2001 From: Greg Taylor <35198174+grtaylor806@users.noreply.github.com> Date: Thu, 4 Jun 2026 15:44:40 -0700 Subject: [PATCH 1/4] Document EwsAllowedAppIDs parameter in Set-OrganizationConfig Added EwsAllowedAppIDs parameter documentation for EWS access control. --- .../Set-OrganizationConfig.md | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/exchange/exchange-ps/ExchangePowerShell/Set-OrganizationConfig.md b/exchange/exchange-ps/ExchangePowerShell/Set-OrganizationConfig.md index 4e72d05cfd..cbfaec2dc4 100644 --- a/exchange/exchange-ps/ExchangePowerShell/Set-OrganizationConfig.md +++ b/exchange/exchange-ps/ExchangePowerShell/Set-OrganizationConfig.md @@ -93,6 +93,7 @@ Set-OrganizationConfig -ShortenEventScopeDefault [-EwsAllowList ] [-EwsAllowMacOutlook ] [-EwsAllowOutlook ] + [-EwsAllowedAppIDs ] [-EwsApplicationAccessPolicy ] [-EwsBlockList ] [-EwsEnabled ] @@ -418,6 +419,7 @@ Set-OrganizationConfig [-DelayedDelicensingEnabled ] [-EndUserMailNotif [-EwsAllowList ] [-EwsAllowMacOutlook ] [-EwsAllowOutlook ] + [-EwsAllowedAppIDs ] [-EwsApplicationAccessPolicy ] [-EwsBlockList ] [-EwsEnabled ] @@ -2555,6 +2557,47 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -EwsAllowedAppIDs + +> Applicable: Exchange Online + +This parameter is available only in the cloud-based service. + +The EwsAllowedAppIDs parameter specifies the Azure AD applications that are allowed to access Exchange WebServices (EWS) when the EwsEnabled parameter is set to $true at the organization level. Applications not in thislist are blocked from accessing EWS. You identify each application by its Azure AD application ID (a GUID). + +- When EwsEnabled is $true, only applications specified by this parameter can access EWS. +- When EwsEnabled is $false, all EWS access is blocked regardless of this parameter. +- When EwsEnabled is $null (not configured), this parameter has no effect. + +To specify multiple values, use a comma-separated list of GUIDs: `"AppId1,AppId2,...AppIdN"`. + +To remove all allowed app IDs and stop restricting access by app ID, set this parameter to `$null` or an emptystring. + +**Note**: This parameter only applies to direct EWS (SOAP) connections. It does not affect requests that arrivethrough the Microsoft Graph API or the REST endpoint. + +**Example**: Set-OrganizationConfig -EwsEnabled $true -EwsAllowedAppIDs"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee,11111111-2222-3333-4444-555555555555" + +This example restricts EWS access to only the two specified Entra applications. All other applications are blocked from accessing EWS. + +**Example**: Set-OrganizationConfig -EwsAllowedAppIDs $null + +This example removes the allowed app ID restriction, so EWS access is no longer gated by application ID. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Default value: None +Supports wildcards: False +DontShow: False +Position: Named +Mandatory: False +Value from pipeline: False +Value from pipeline by property name: False +Value from remaining arguments: False +``` + ### -EwsApplicationAccessPolicy > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE, Exchange Online From 3c172599de7e59febd83c32f5d012f936912a260 Mon Sep 17 00:00:00 2001 From: Chris Davis Date: Thu, 4 Jun 2026 16:25:07 -0700 Subject: [PATCH 2/4] Update Set-OrganizationConfig.md --- .../Set-OrganizationConfig.md | 32 +++++++++---------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/exchange/exchange-ps/ExchangePowerShell/Set-OrganizationConfig.md b/exchange/exchange-ps/ExchangePowerShell/Set-OrganizationConfig.md index cbfaec2dc4..9b6540dc19 100644 --- a/exchange/exchange-ps/ExchangePowerShell/Set-OrganizationConfig.md +++ b/exchange/exchange-ps/ExchangePowerShell/Set-OrganizationConfig.md @@ -597,6 +597,15 @@ Set-OrganizationConfig -VisibleMeetingUpdateProperties "Location,Subject,Body,Al In Exchange Online, this example results in meeting updates being auto-processed (meeting update messages aren't visible in attendee Inbox folders) except any changes to meeting location, subject and body as well as any property changes within 15 minutes of the meeting start time. +### Example 7 +```powershell +Set-OrganizationConfig -EwsEnabled $true -EwsAllowedAppIDs"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee,11111111-2222-3333-4444-555555555555" +``` + +This example restricts EWS access to only the two specified Entra applications. All other applications are blocked from accessing EWS. + +**Note**: To remove the application ID restriction on EWS access, use the value `$null`. + ## PARAMETERS ### -ShortenEventScopeDefault @@ -2563,7 +2572,7 @@ Accept wildcard characters: False This parameter is available only in the cloud-based service. -The EwsAllowedAppIDs parameter specifies the Azure AD applications that are allowed to access Exchange WebServices (EWS) when the EwsEnabled parameter is set to $true at the organization level. Applications not in thislist are blocked from accessing EWS. You identify each application by its Azure AD application ID (a GUID). +The EwsAllowedAppIDs parameter specifies the Azure AD applications that are allowed to access Exchange Web Services (EWS) when the EwsEnabled parameter on this cmdlet is also set to the value $true. Unspecified applications are blocked from accessing EWS. You identify each application by its Azure AD application ID (GUID). - When EwsEnabled is $true, only applications specified by this parameter can access EWS. - When EwsEnabled is $false, all EWS access is blocked regardless of this parameter. @@ -2571,31 +2580,20 @@ The EwsAllowedAppIDs parameter specifies the Azure AD applications that are allo To specify multiple values, use a comma-separated list of GUIDs: `"AppId1,AppId2,...AppIdN"`. -To remove all allowed app IDs and stop restricting access by app ID, set this parameter to `$null` or an emptystring. +To remove all allowed app IDs and stop restricting access by app ID, use the value `$null` for this parameter. **Note**: This parameter only applies to direct EWS (SOAP) connections. It does not affect requests that arrivethrough the Microsoft Graph API or the REST endpoint. -**Example**: Set-OrganizationConfig -EwsEnabled $true -EwsAllowedAppIDs"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee,11111111-2222-3333-4444-555555555555" - -This example restricts EWS access to only the two specified Entra applications. All other applications are blocked from accessing EWS. - -**Example**: Set-OrganizationConfig -EwsAllowedAppIDs $null - -This example removes the allowed app ID restriction, so EWS access is no longer gated by application ID. - ```yaml Type: String Parameter Sets: (All) Aliases: -Default value: None -Supports wildcards: False -DontShow: False +Required: False Position: Named -Mandatory: False -Value from pipeline: False -Value from pipeline by property name: False -Value from remaining arguments: False +Default value: None +Accept pipeline input: False +Accept wildcard characters: False ``` ### -EwsApplicationAccessPolicy From bddcec5966d72be7406930b2e65a2b1af5e15938 Mon Sep 17 00:00:00 2001 From: Chris Davis Date: Thu, 4 Jun 2026 16:27:18 -0700 Subject: [PATCH 3/4] Update Set-OrganizationConfig.md --- .../exchange-ps/ExchangePowerShell/Set-OrganizationConfig.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exchange/exchange-ps/ExchangePowerShell/Set-OrganizationConfig.md b/exchange/exchange-ps/ExchangePowerShell/Set-OrganizationConfig.md index 9b6540dc19..9475784f3e 100644 --- a/exchange/exchange-ps/ExchangePowerShell/Set-OrganizationConfig.md +++ b/exchange/exchange-ps/ExchangePowerShell/Set-OrganizationConfig.md @@ -2586,7 +2586,7 @@ To remove all allowed app IDs and stop restricting access by app ID, use the val ```yaml Type: String -Parameter Sets: (All) +Parameter Sets: ShortenEventScopeParameter, DelayedDelicensingParameterSet Aliases: Required: False From cbb2ad46c8d1150981801fb8e450b110963ff926 Mon Sep 17 00:00:00 2001 From: Chris Davis Date: Mon, 8 Jun 2026 14:10:08 -0700 Subject: [PATCH 4/4] Update Set-OrganizationConfig.md --- .../exchange-ps/ExchangePowerShell/Set-OrganizationConfig.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/exchange/exchange-ps/ExchangePowerShell/Set-OrganizationConfig.md b/exchange/exchange-ps/ExchangePowerShell/Set-OrganizationConfig.md index 9475784f3e..81d37f2d7f 100644 --- a/exchange/exchange-ps/ExchangePowerShell/Set-OrganizationConfig.md +++ b/exchange/exchange-ps/ExchangePowerShell/Set-OrganizationConfig.md @@ -2576,13 +2576,13 @@ The EwsAllowedAppIDs parameter specifies the Azure AD applications that are allo - When EwsEnabled is $true, only applications specified by this parameter can access EWS. - When EwsEnabled is $false, all EWS access is blocked regardless of this parameter. -- When EwsEnabled is $null (not configured), this parameter has no effect. +- When EwsEnabled is blank ($null; not configured), this parameter has no effect. To specify multiple values, use a comma-separated list of GUIDs: `"AppId1,AppId2,...AppIdN"`. To remove all allowed app IDs and stop restricting access by app ID, use the value `$null` for this parameter. -**Note**: This parameter only applies to direct EWS (SOAP) connections. It does not affect requests that arrivethrough the Microsoft Graph API or the REST endpoint. +**Note**: This parameter applies only to direct EWS (SOAP) connections. It doesn't affect requests from the Microsoft Graph API or the REST endpoint. ```yaml Type: String