App Bug in Exchange 2013 CU6

Exchange 2013 RTM introduced the concept of Apps. Apps are basically plugins or add-ons for OWA and Outlookk that are used to enhance the user’s overall experience. These apps can be disabled completed or enabled selectively in an organization. However, the selective enable function does not work properly in Exchange 2013 CU6.

Prior to CU6 and with CU7 we can selectively enable what users have access to one of the various OWA Apps. In my below examples I am restricting access to LinkedIn using PowerShell where I can scope the app to be only accessible to my login account and no one else:

If we check the success or failure of the command we see that my user account is the only SpecifiedUser who the app is ‘ProvidedTo’:


However, in Exchange 2013 CU6, the results are not the same as previous versions and CU7:

Notice that the ProvidedTo shows as ‘Everyone’ and the UserList has the correct user. The ramifications of this are that everyone has access to this app to as the scope of the application has not been limited correctly. This error is reproducible (a couple of fellow MVPs have confirmed this in different Exchange 2013 CU6 environments).
Recommended Fix
If you are experiencing this issue, your best option is to upgrade your servers to Exchange 2013 CU7 which was just released last week.