Exchange Online to Enforce Stricter Controls on EWS Access — Here’s What’s Changing
Microsoft is retiring Exchange Web Services (EWS) for Exchange Online next year.
Published: Feb 21, 2025
Key Takeaways:
- Microsoft will retire Exchange Web Services (EWS) for Exchange Online, blocking all EWS requests in October 2026.
- A new policy change will require both user-level and organization-level EWSEnabled flags to be set to true for EWS access.
- Organizations relying on EWS must review their settings before the cutoff date.
Microsoft is preparing to retire Exchange Web Services (EWS) for Exchange Online, with all EWS requests set to be blocked starting October 1, 2026. The company is also implementing a major update to the EWSEnabled tenant-wide switch, changing how organizations manage EWS access.
What is Exchange Web Services (EWS)?
Exchange Web Services (EWS) is an API that allows applications to access and manage mailbox items such as emails, calendar events, and contacts on Microsoft Exchange servers. It leverages SOAP-based XML messages over HTTP to communicate with the server, which enables cross-platform integration.
As of today, administrators can set the EWSEnabled flag for both the entire organization and individual users. If the user-level flag is set to true, it overrides the organization-level setting allowing EWS requests even if the organization-level flag is set to false. If either level is set to Null, the default is to allow EWS requests.
However, Microsoft warned that this approach of setting the EWSEnabled flag at both the organization and user levels can create inconsistencies and security issues. Administrators may find it difficult to enforce the same policies throughout the entire organization, leading to potential gaps in security and policy application.
How does this new behavior affect organizations?
To resolve this problem, EWS will require both the user-level and organization-level EWSEnabled flags to be set to true. This change gives IT admins enhanced control over EWS access and helps to ensure consistent policy enforcement across the organization. This new behavior will begin rolling out to commercial customers in April 2025.
“Going forward, if you want to restrict EWS to specific mailboxes (and we think this is a good idea broadly speaking), you need to ensure those are the only mailboxes with the mailbox specific property set to True, and ensure everyone else has it set to False, and then you can set the Org Wide setting to True,” the Exchange team explained.
Microsoft is making this change to give administrators more control and improve security in Exchange Web Services. However, organizations that rely on the old settings may be affected. To avoid disruptions, Microsoft advises reviewing and updating existing configurations ahead of the transition.