Blog Post

Exchange Team Blog

4 MIN READ

The way to control EWS usage in Exchange Online is changing

Microsoft

Feb 20, 2025

In our ongoing commitment to enhance the security and control mechanisms of Exchange Web Services (EWS), we are announcing a significant change in the behavior of the EWSEnabled tenant-wide switch in Exchange Online. This modification provides a more robust framework for managing EWS access within organizations, ensuring both flexibility and security, and is necessary as we continue to work on our plan to disable EWS starting October 2026.

Current Behavior

The EWSEnabled flag can be set at both the tenant (organization) level and the user (mailbox) level. Currently, when the flag is set to true at the user level, it takes precedence over the organization-level setting. If the setting is Null, it means the setting is not enforced at that level. If Org and user-level are both Null, the default behavior is to allow. This hierarchical structure means that if the organization-level flag is set to false, but the user-level flag is set to true, EWS requests from that user are still allowed. In other words:

Organization Level	User Level	EWS Requests
True or <null>	True or <null>	Allowed
True or <null>	False	Not Allowed
False	True	Allowed
False	False or <null>	Not Allowed

This approach has led to inconsistencies and security concerns. It can be challenging for administrators to ensure uniform policy enforcement across their organization, particularly in large and complex environments.

New Behavior

To address these issues, we are altering the behavior so that EWS will only be allowed if both the organization-level and user-level EWSEnabled flags are true. Here's a simplified view of the new logic:

Organization Level	User Level	EWS Requests
True or <null>	True or <null>	Allowed
True or <null>	False	Not Allowed
False	True or <null>	Not Allowed
False	False	Not Allowed

In short, EWS will be permitted only if both the organization and user-level allow it. This change ensures that administrators have better control over EWS access and can enforce policies more consistently across their entire organization.

This change will rollout worldwide starting April 2025.

Tenant-level setting

The first thing to check is your tenant setting. To do this, simply run this command in Exchange Online PowerShell

Get-OrganizationConfig | fl EWSEnabled
EwsEnabled :

If the EWSEnabled flag is empty (the default), or set to True – this change won’t affect you, but we still advise you read the per-user settings information below to make sure it matches your expected settings.

If your EWSEnabled flag is set to False, you might see some impact when we enforce this new logic change on your tenant unless you take action now. We encourage you to review the section below to ensure your per-user settings reflect your desired state for who can and cannot use EWS, and then proactively change the tenant wide switch to True to ensure uninterrupted access for users and apps.

User-level setting

As discussed earlier, even if your tenant-wide EWSEnabled switch has been set to False, it’s currently still possible to use EWS, if the per-user setting is set to True (default setting for every mailbox).

To check if EWS is Enabled or Disabled for a specific mailbox, you can run:

Get-CASMailbox User1| fl EWSEnabled
EwsEnabled : True

Does This Change Affect You?

We recognize that this change may impact tenants who have relied on the previous behavior. Specifically, if your organization-level flag is set to False, but you have user-level flags set to true, EWS requests will start to be blocked when this change rolls out, which was not the case before. Therefore, we advise you to review and adjust your settings to ensure continuity of service.

Going forward, if you want to restrict EWS to specific mailboxes (and we think this is a good idea broadly speaking), you need to ensure those are the only mailboxes with the mailbox specific property set to True, and ensure everyone else has it set to False, and then you can set the Org Wide setting to True.

Conclusion

This change to the EWSEnabled tenant-wide setting represents our dedication to providing better administrative control and improving security within Exchange Web Services. We believe this change will lead to more consistent policy enforcement and a more secure environment for all users.

We encourage administrators to review their current settings and prepare for this update.

We have sent this information out to all tenants via the Message Center (MC1015893 or MC1015890, depending on the cloud you are in), but we’ve also sent out an additional post to tenants we see have the tenant wide switch set to False, but still have successful EWS usage too (meaning they likely have been using this switch in some way) - MC1015906.

If you have any questions, please post them below and we’ll do our best to help.

Thank you for your continued partnership and commitment to enhancing the security and functionality of our services.

The Exchange Team

Updated Feb 26, 2025

Version 2.0

Microsoft

Joined April 19, 2019

View Profile

Exchange Team Blog

You Had Me at EHLO.

j_ware
Copper Contributor
Mar 11, 2025
In preparation for this we changed our CAS Mailbox Plans to "EWSEnabled" False, and then set everyone's CAS Mailbox setting "EWSEnabled" to False as well except for a few service account mailboxes that use EWS with OAuth 2, but this broke Outlook Classic free/busy lookups, so EWS is still used by Outlook.

Nino_Bilic How will this be handled by Microsoft once EWS calls to Exchange Online are disabled on Oct 2026? Outlook Classic is supported till 2029.
- Nino_Bilic
  Microsoft
  Mar 12, 2025
  The bottom line is - all Microsoft apps (just like 3rd party apps) have to solve their reliance on EWS by then.
PankajNTT
Brass Contributor
Mar 07, 2025
Nino_Bilic ThRudolfMSFT
Hello, As per switch EWS orgwide setting is empty in my org but yes as per default settings I am sure EWS is enabled for all users but how do we determine if EWS is still needed for the mailboxes.
Is there any report we can check for the mailboxes\applications who are actually using EWS?
whose tenant EWS is set to empty do we need to perform anything, or we are good.?
- Nino_Bilic
  Microsoft
  Mar 07, 2025
  By default EWS is enabled for all mailboxes (TRUE) and the setting on the tenant is empty. In the future (when EWS is disabled service side) tenant switch will be set to FALSE.
  
  In the mean time, to answer a question on how to determine who is using EWS, we are working on a separate blog post that will cover this, coming "soon".
  
  As of right now, you will see many things (even Microsoft things) still use EWS; things like Outlook, Teams, etc. We (Microsoft) will take care of our software, but when we release this, you'll be able to start gathering information what else might use EWS also.
  - PankajNTT
    Brass Contributor
    Mar 10, 2025
    Nino_Bilic As per the below statement by MS, if EWS flag is empty then there is no impact, so we should not worry once MS rolled out the CHG starting Apr 25, right?
    ""If the EWSEnabled flag is empty (the default), or set to True – this change won’t affect you, but we still advise you read the per-user settings information below to make sure it matches your expected settings.""
    
    Yes, you are right EWS is enabled default for all the mailboxes but I dont see any way to determine if they actually need EWS.
    I am sure application is using EWS but this change will not impact to them, I believe.?
PaulJones1010
Copper Contributor
Mar 06, 2025
We've been trying to simulate how it will affect our EWS app. I disabled the EWSEnable flag at both the org & mailbox level and after 3 days our app still functions as normal without issue? For context our app is registered in entra and uses App-Only permissions (in particular full_access_as_app). It also uses OAuth client credential flow for the bearer access token etc..
Any ideas why this is still working for us? Is it possible this EWSEnable flag doesn't affect the type of app we have as it's using a different permission model etc..?
PankajNTT
Brass Contributor
Mar 03, 2025
Hello, As per switch EWS orgwide setting is empty in my org but yes as per default settings I am sure EWS is enabled for all users but how do we determine if EWS is still needed for the mailboxes.
Is there any report we can check for the mailboxes who are actually using EWS?
whose tenant EWS is set to empty do we need to perform anything, or we are good.?
onandoff
Brass Contributor
Feb 27, 2025
It's really puzzling where this 'bright' idea came from. How is individually touching tens of thousands of mailboxes to disable EWS (and maintaining this practice for all new mailboxes) is better than disabling at org level and having a few mailboxes allowed to use EWS by overriding at mailbox level.

What is the reasoning behind default should be enabled for all just to have it for a few?

Instead, why not continue to leave the individual setting override the org, and change the default setting for new mailboxes from True to Null ? In this way by default all mailboxes will have it disallowed and only a handful which really need EWS can be explicitly set?

This seems to go completely against best practices ...
SevenOfNine
Brass Contributor
Feb 26, 2025
You wrote "The old behavior has led to inconsistencies and security concerns. It can be challenging for administrators to ensure uniform policy enforcement across their organization, particularly in large and complex environments. To address these issues, we are altering the behavior so that EWS will only be allowed if both the organization-level and user-level EWSEnabled flags are true."
No, the new behavior is NOT more secure. If I have a handfull of users, who are an exception, I explicitly set them to "allow", while the Default is false.
Now, I have to set the Default to true, to allow a few exceptions. But new mailboxes get the default, i.e. they are allowed. I have lost control instead of gaining it. Moreover I now have to write a script that runs regularly to find these new mailboxes and set them to false. I am no programmer, so for me it is difficult to write an error proof script, especially with the the challenges of automated access to M365 and the ever changing APIs. The script will run mabye hourly. So there is a security gap, assuming the script runs successfully.
You call that an improvement for security and administration? No, it is **bleep** stupid.
pmckinstry
Copper Contributor
Feb 25, 2025
So now there is no way to "Not Allow" for the entire organization and "Allow" for just select users. If I want to disable this for 700 students and allow if for 70 faculty, I have to touch 700 student accounts to turn it off. The old way, I only needed to touch 70 faculty accounts to enable it. Have I got that right?
Edwin van Brenk
Copper Contributor
Feb 25, 2025
How is enabling a setting orgwide more secure than having it disabled?
Jan Aarts
Brass Contributor
Feb 25, 2025
Very much agreed; I don't like this change at all; I don't see any reason to get it enabled tenant-wide while you only need to have a few mailboxes access to EWS.
ThRudolfMSFT
Microsoft
Feb 21, 2025
I see the intention behind this approach, but it doesn't align with the established rules in the Exchange environment, where more granular permissions take precedence. Additionally, there isn't a straightforward method to identify mailboxes that will require access permissions in the future.