In 2018, Microsoft announced that they’ll no longer making feature updates to Exchange Web Services (EWS) in Exchange Online, and advised developers to move to Microsoft Graph.
In 2023, Microsoft announced that on October 1, 2026, they will start blocking EWS requests to Exchange Online.
Today, in Microsoft ongoing commitment to enhance the security and control mechanisms of Exchange Web Services (EWS), Microsoft announcing a significant change in the behavior of the EWSEnabled tenant-wide switch in Exchange Online. This modification provides a more robust framework for managing EWS access within organizations, ensuring both flexibility and security, and is necessary as they continue to work in there plan to disable EWS starting October 2026.
Current Behavior
The EWSEnabled flag can be set at both the tenant (organization) level and the user (mailbox) level. Currently, when the flag is set to true at the user level, it takes precedence over the organization-level setting. If the setting is Null, it means the setting is not enforced at that level. If Org and user-level are both Null, the default behavior is to allow. This hierarchical structure means that if the organization-level flag is set to false, but the user-level flag is set to true, EWS requests from that user are still allowed. In other words:
| Organization Level | User Level | EWS Requests |
| True or <null> | True or <null> | Allowed |
| True or <null> | False | Not Allowed |
| False | True | Allowed |
| False | False or <null> | Not Allowed |
This approach has led to inconsistencies and security concerns. It can be challenging for administrators to ensure uniform policy enforcement across their organization, particularly in large and complex environments.
New Behavior
To address these issues, we are altering the behavior so that EWS will only be allowed if both the organization-level and user-level EWSEnabled flags are true. Here’s a simplified view of the new logic:
| Organization Level | User Level | EWS Requests |
| True or <null> | True or <null> | Allowed |
| True or <null> | False | Not Allowed |
| False | True or <null> | Not Allowed |
| False | False | Not Allowed |
In short, EWS will be permitted only if both the organization and user-level allow it. This change ensures that administrators have better control over EWS access and can enforce policies more consistently across their entire organization.
This change will rollout worldwide starting April 2025.
Tenant-level setting
The first thing to check is your tenant setting. To do this, simply run this command in Exchange Online PowerShell
Get-OrganizationConfig | fl EWSEnabled
EwsEnabled :
If the EWSEnabled flag is empty (the default), or set to True – this change won’t affect you, but we still advise you read the per-user settings information below to make sure it matches your expected settings.
If your EWSEnabled flag is set to False, you might see some impact when we enforce this new logic change on your tenant unless you take action now. We encourage you to review the section below to ensure your per-user settings reflect your desired state for who can and cannot use EWS, and then proactively change the tenant wide switch to True to ensure uninterrupted access for users and apps.
User-level setting
As discussed earlier, even if your tenant-wide EWSEnabled switch has been set to False, it’s currently still possible to use EWS, if the per-user setting is set to True (default setting for every mailbox).
To check if EWS is Enabled or Disabled for a specific mailbox, you can run:
Get-CASMailbox User1| fl EWSEnabled
EwsEnabled : True
Catastrophic Failure 