Exchange Online to Block EWS Access for Unsupported Mailbox Licenses – What You Need to Know

Microsoft will block Exchange Web Services (EWS) access for Exchange Online mailboxes with unsupported licenses in March 2026. This move aims to boost security, enforce proper licensing, and push organizations toward modern APIs like Microsoft Graph.

Exchange Web Services (EWS) is a protocol that allows applications to interact with Exchange servers to access mailbox data such as emails, calendar events, contacts, and tasks. It provides a programmatic interface for developers and third-party tools to integrate with Exchange Online or on-premises Exchange, which enables features like syncing, scheduling, and automation beyond what standard email clients offer.

Why is Microsoft phasing out EWS?

Microsoft mentioned that this upcoming change is a part of its broader effort to phase out EWS to strengthen security and ensure proper license compliance. The retirement of this older protocol should help to reduce vulnerabilities, enforce modern standards, and encourage organizations to adopt newer, more secure APIs like Microsoft Graph for accessing Exchange data.

Starting on March 1, 2026, any EWS request from users without an eligible license will be blocked and return a “403 Forbidden” error. “As stated in the Service Descriptions, these licenses do not provide access to mailboxes via EWS, but these restrictions were never enforced. With this change, EWS access for users with only these license types will be blocked,” the Exchange team explained.

To restore access for affected customers, organizations should assign a license that supports EWS. These include Exchange Online Plan 1 and Plan 2, Microsoft 365/Office 365 E3, and Microsoft 365/Office 365 E5.

What steps should organizations take to prepare?

Administrators can prepare for this upcoming change by auditing current EWS usage across the organization. This can be done using PowerShell scripts or the Microsoft 365 Admin Center to identify which mailboxes and applications rely on EWS. Once usage is clear, admins should review and update the EWSEnabled setting at both the tenant and mailbox levels to ensure compliance with the new licensing rules.

It’s also recommended to check for any third-party or custom applications that depend on EWS and plan their migration to modern APIs like Microsoft Graph to avoid service disruptions.