Exchange Online to Restrict EWS Access to Approved Apps Ahead of Retirement

As Exchange Web Services approaches its official phase‑out, Microsoft is rolling out new controls to help organizations manage this process. To ease the transition, the company has introduced a new control feature that lets organizations manage which apps can still access EWS before the shutdown begins.

Exchange Web Services (EWS) is an API that allows applications to interact with data in Exchange Online or on-premises Exchange servers. It enables developers and systems to access and manage emails, calendars, contacts, mailboxes, and other messaging features programmatically, which makes it useful for integrations like email clients, scheduling tools, and enterprise apps.

Why is Exchange Web Services being phased out?

Microsoft first announced the retirement of Exchange Web Services (EWS) in July 2018 and said that the API would no longer receive new feature updates. In 2023, the company confirmed that EWS would be fully disabled in Exchange Online starting in October 2026. The main reason for retiring EWS is that this legacy technology no longer meets modern requirements for security, scalability, and reliability and has largely been replaced by the more advanced and unified Microsoft Graph API.

“The retirement model uses the existing EWSEnabled organization-level setting together with the new EWSAllowedAppIDs allow list. Before October 2026, the behavior is intentionally permissive to give customers time to inventory dependencies, deploy an allow list, and validate which applications still require EWS. This pre-October phase gives administrators room to deploy and test an allow list without immediately breaking existing applications,” the Exchange team explained.

What changes when enforcement begins in October 2026?

Starting in October, Exchange Online will enforce stricter controls as part of the EWS retirement process. Going forward, enabling EWS without an allow list will no longer provide access. Instead, if no allow list is configured, all EWS access will be blocked, and only applications explicitly added to the allow list will continue to function.

This retirement strategy is designed to require explicit acknowledgement of EWS usage and restrict usage to known and approved apps. It also helps to accelerate migration to Microsoft Graph and modern APIs.

According to Microsoft, many tenants currently allow unrestricted EWS access, and this update will automatically disable EWS for such tenants. The company has warned that administrators who haven’t prepared for this change may face service disruptions.

Steps IT administrators should take now

Microsoft urges IT admins to begin preparing for EWS retirement before enforcement begins within their enterprise environments. Administrators must leverage usage reports or monitoring tools to identify all apps and services that still rely on EWS. They should also create a controlled allow list that includes only the applications that still require EWS access.

It’s also recommended to conduct thorough testing to ensure that approved applications continue to work under the new restrictions. Moreover, IT admins must continuously review and update the allow list as they discover new dependencies or retire old ones. They should also actively work with software vendors and internal teams to migrate from EWS to modern alternatives such as Microsoft Graph.