SfBMac: Cannot connect to EWS after enabling EWS Access Policy

In a recent support case the Skype for Business Mac client wasn’t connecting to Exchange Web Services (EWS) after the EWS Access Policy was configured with the following cmdlets:

Set-CASMailbox -Identity brick@borderlands.lab -EwsApplicationAccessPolicy EnforceAllowList -EwsAllowOutlook $true -EwsAllowMacOutlook $true
Set-CASMailbox -Identity brick@borderlands.lab -EwsAllowList @{add=’UCWA/*’, ‘OC/*’, ‘OWA/*’}

Get-CASMailbox -Identity brick@borderlands.lab | fl Name,EwsApplicationAccessPolicy,EwsAllowOutlook,EwsAllowMacOutlook,EwsAllowList

EWS was working except on Skype for Business Mac, after reviewing the logs the issue was that SfB Mac user agent is SfBForMac.
To fix this we simply add SfBForMac to the EwsAllowList with:

Set-CASMailbox -Identity brick@borderlands.lab -EwsAllowList @{add=’SfBForMac/*’}

Please note that the previous example was only for a test user, we can also configure it on the Organization Level:

Set-OrganizationConfig -EwsApplicationAccessPolicy EnforceAllowList -EwsAllowOutlook $true -EwsAllowMacOutlook $true -EwsAllowList @{add=’SfBForMac/*’,’UCWA/*’, ‘OC/*’, ‘OWA/*’}

Get-OrganizationConfig |fl Name,EwsApplicationAccessPolicy,EwsAllowOutlook,EwsAllowMacOutlook,EwsAllowList

The address ‘LyncEnterprise-ApplicationAccount@…’ isn’t a valid SMTP address

Integrating Lync Server 2013 and Exchange 2013 is usually a relative straight forward process. We just need to follow the steps described here:

Integrating Microsoft Lync Server 2013 and Microsoft Exchange Server 2013

One of these steps is to run the script Configure-EnterprisePartnerApplication.ps1 on a Exchange PowerShell. This script will create a User and the Lync Server partner application for Exchange.

“C:Program FilesMicrosoftExchange ServerV15ScriptsConfigure-EnterprisePartnerApplication.ps1 -AuthMetaDataUrl ‘https://<LyncPool>/metadata/json/1&#8217; -ApplicationType Lync”

In a recent deployment, we encountered the following error:


For some reason, the domain Domain 1 was added as Accept Domain in Exchange Server, so the script was trying to use that to create the account.

We have 2 options: either remove Domain 1 as accepted domain from Exchange Server, or manually create the account and run the script again.

$user = New-MailUser -Name LyncEnterprise-ApplicationAccount -ExternalEmailAddress LyncEnterprise-ApplicationAccount@<valid accepted domain>
Set-MailUser -Identity $user.Identity -HiddenFromAddressListsEnabled $true;

Now we can run again the script. This time, however, the script will use the account (LyncEnterprise-ApplicationAccount) we have just created:


If the script executes without errors, we get The configuration has succeeded message. That being so, we may continue with the Lync Server 2013 and Exchange Server 2013 integration steps.