...
This requires creating/using an azure application with appropriate permissions.
Traffic flow
Assuming Manual Exchange Server configuration on client, no auto discover.
Client sends EWS request to Bastion on special URL. e.g. ews-online.company.com
EWS Filter verifies SphereShield credentials sent by client
EWS Filter obtains authentication token and modifies the request to use the authentication token received from Azure
Bastion sends modified request to Exchange Online
...