← Back
The way to control EWS usage in Exchange Online is changing
MC1015893 · build prod-20251231-200323
Category
planForChange
Severity
normal
Major change
True
Last modified
2025-02-25 00:29:42
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
Action by (AI)
Services
Exchange Online
Tags
Feature update, Admin impact
Master tags
Security
Roadmap IDs

One-line summary

Starting April 1, 2025, EWS in Exchange Online will require both tenant and user EWSEnabled flags to be true for access, improving policy enforcement consistency.

Similar updates

More like this
MC1191578 (Updated) Update to EWS Access for Kiosk / Frontline Worker Licenses
(Updated) Update to EWS Access for Kiosk / Frontline Worker Licenses Starting June 30, 2026, EWS access will be blocked for mailboxes licensed only with Exchange Online Kiosk, Microsoft 365/Office 365 F1, or F3. Updated December 15, 2025: We have updated the timing of this change to provide additional time for customers to take action as... We're.
MC676299 (Updated) Retirement of Exchange Web Services in Exchange Online
(Updated) Retirement of Exchange Web Services in Exchange Online Exchange Online will block Exchange Web Services (EWS) requests starting October 1, 2026; migrate all EWS apps to Microsoft Graph as soon as possible. Updated April 18, 2025: We have updated the content. In 2018, we announced that we were no longer making feature updates to.
MC1163922 Upcoming Secure by Default Settings Changes for Exchange and Teams APIs
Upcoming Secure by Default Settings Changes for Exchange and Teams APIs Admin consent will be required for third-party apps accessing Exchange and Teams content via Microsoft Graph and legacy protocols; rollout starts by end of October 2025. As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the “Secure by Default".
MC1197103 (Updated) Exchange Online ActiveSync device support update
(Updated) Exchange Online ActiveSync device support update Starting March 1, 2026, Exchange Online will block devices using Exchange ActiveSync versions below 16.1 for improved security. Organizations must update mobile devices and apps to EAS 16.1 or higher. Exchange Online ActiveSync Device Support Update We’re making a change to improve.
MC787382 (Updated) Exchange Online to introduce External Recipient Rate Limit
(Updated) Exchange Online to introduce External Recipient Rate Limit Exchange Online will enforce a 2,000 external recipient rate limit per 24 hours for cloud mailboxes, starting April 1, 2026 for new/trial tenants and October 1, 2026 for existing tenants. Important update regarding the cloud hosted Mailbox External Recipient Rate Limit: In.
MC1191923 Microsoft Purview | Data lifecycle management – Auto archive for Exchange Online
Microsoft Purview | Data lifecycle management – Auto archive for Exchange Online Exchange Online will auto-archive mailbox items when usage exceeds 96% of quota, starting January 2026, to prevent mail flow disruptions; enabled by default for all tenants. [Introduction] We’re introducing Auto Archiving for Exchange Online to help prevent mail.

Details

Summary
The behavior of the EWSEnabled switch in Exchange Online is changing. Starting April 1, 2025, EWS will only be allowed if both the organization-level and user-level EWSEnabled flags are true. This change aims to improve policy enforcement consistency. Check the blog for more details: [The way to control EWS usage in Exchange Online is changing](https://aka.ms/EWSEnabledChange).

Body (from Message Center)

We are making a change to the behavior of the EWSEnabled tenant-wide switch in Exchange Online.

[When this will happen:]

This change will rollout worldwide, starting April 1, 2025

[How this affects your organization:]

If you want to restrict the usage of EWS in your tenant, this change might affect you. The current behavior of the EWSEnabled flag is that it can be set at both the tenant (organization) level and the user (mailbox) level. Currently, when the flag is set to true at the user level, it takes precedence over the organization-level setting. If a setting is Null, it means the setting is not enforced at that level. If Org and user-level are both Null, the default behavior is to allow. This hierarchical structure means that if the organization-level flag is set to false, but the user-level flag is set to true, EWS requests from that user are still allowed. In summary:

Organization LevelUser Level EWS Requests
True or <null>True or <null>Allowed
True or <null>FalseNot Allowed
FalseTrueAllowed
FalseFalse or <null>Not Allowed

This approach has led to situations where it can be challenging for administrators to ensure uniform policy enforcement across their organization, particularly in large and complex environments.

New Behavior

To address these issues, we are altering the behavior so that EWS will only be allowed if both the organization-level and user-level EWSEnabled flags are true. Here's a simplified view of the new logic:

Organization Level User LevelEWS Requests
True or <null>True or <null>Allowed
True or <null>FalseNot Allowed
FalseTrue or <null>Not Allowed
FalseFalseNot Allowed

In short, EWS will be permitted only if both the organization and user-level allow it. This change ensures that administrators have better control over EWS access and can enforce policies more consistently across their entire organization

[Next Steps:]

Please check the blog for additional information and ensure your per-user and tenant wide settings are correct before this change is made to your tenant.


Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw 
{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": null,
    "ai_actions": [
      "Review and update EWSEnabled settings at tenant and user levels"
    ],
    "ai_master_tags": [
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "Starting April 1, 2025, EWS in Exchange Online will require both tenant and user EWSEnabled flags to be true for access, improving policy enforcement consistency.",
    "ai_topics": [
      "Exchange"
    ],
    "category": "planForChange",
    "details_map": {
      "Summary": "The behavior of the EWSEnabled switch in Exchange Online is changing. Starting April 1, 2025, EWS will only be allowed if both the organization-level and user-level EWSEnabled flags are true. This change aims to improve policy enforcement consistency. Check the blog for more details: [The way to control EWS usage in Exchange Online is changing](https://aka.ms/EWSEnabledChange)."
    },
    "id": "MC1015893",
    "importance": 4,
    "is_major_change": true,
    "last_modified": "2025-02-25T00:29:42Z",
    "ms_products": [
      "Exchange"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Exchange Online"
    ],
    "severity": "normal",
    "tags": [
      "Feature update",
      "Admin impact"
    ],
    "title": "The way to control EWS usage in Exchange Online is changing"
  }
}