Exchange Online to Block Exchange Web Services (EWS) requests

Microsoft has sometime ago announced the retirement of Exchange Web Services (EWS) for Exchange Online.
Starting October 1, 2026, all EWS requests to Exchange Online will be blocked. Organizations using EWS for applications, integrations, or custom tools should begin transitioning to supported alternatives such as Microsoft Graph.

Exchange Server: No changes applied

Detect Usage (with Microsoft 365 admin center)

Verify Usage & Export List

Open the following site and see if any applications have been found which are still using EWS:

• https://admin.microsoft.com/#/reportsUsage/EWSWeeklyUsage

Lookup App Name

When you find an Applications like 912357f2-af0a-45a9-8526-000000000000 in my example, you still have to find out the Application Name. This can be done by simply looking up the App ID with an additional Filter in Entra ID:

• Link: https://entra.microsoft.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview

If you can not find the App ID, it could be that the App is owned by Microsoft. After that contact the Product Vendor and/or search the FAQ on how to upgrade the App.

Application Name	Microsoft App (first-party)	Application ID
Microsoft Office	Yes	d3590ed6-52b3-4102-aeff-aad2292ab01c
Office 365 Exchange Online	Yes	00000002-0000-0ff1-ce00-000000000000
Veeam Backup App	No (self-created by you or a vendor)	912357f2-af0a-45a9-8526-000000000000

• Verify first-party Microsoft applications in sign-in reports
• Commonly used Microsoft first-party services and portal apps (preview)
• Alternative: https://github.com/search?q=[Application ID]&type=code

Disable Exchange Web Services (EWS)

After switching most applications to another protocol, you can start disabling EWS for applications:

# Connect-ExchangeOnline -ShowBanner:$false
Get-OrganizationConfig | fl DisplayName, EWSEnabled # Emtpy = Enabled
Get-OrganizationConfig | fl DisplayName, *EWS*
#Get-OrganizationConfig | ft DisplayName, EwsApplicationAccessPolicy, EwsBlockList, EwsAllowList
#Get-OrganizationConfig | Select -ExpandProperty EWSAllowList
#Get-CASMailbox -Identity <mailbox ID> | fl DisplayName,*EWS*
#Get-CASMailbox -Anr admin | ft DisplayName,*EWS*

You have the option to Fully Disable it or go with an BlockList or AllowList approach:

# Used Methode: BlockList
Set-OrganizationConfig -EWSEnabled $False

Set-OrganizationConfig -EwsApplicationAccessPolicy EnforceBlockList
#Set-OrganizationConfig -EwsApplicationAccessPolicy EnforceAllowList

#Set-OrganizationConfig -EwsAllowList @{Add="*Teams/*"} # User-Agent
#Set-OrganizationConfig -EwsAllowList @{Add='ExchangeServicesClient/*'} # User-Agent
#Set-OrganizationConfig -EwsAllowList @{Add="Outlook-iOS/*","Outlook-Android/*"}
#Set-OrganizationConfig -EwsAllowList @{Remove="Outlook-iOS/*", "Outlook-Android/*"}
#Set-OrganizationConfig -EwsAllowList @{Remove="MicrosoftOWSPersonalBookings"}

Set-OrganizationConfig -EwsBlockList @{Add="MicrosoftOWSPersonalBookings"}
#Set-OrganizationConfig -EwsBlockList @{Remove="MicrosoftOWSPersonalBookings"}
#Set-OrganizationConfig -EWSBlockList @{Remove="Outlook-iOS/*", "Outlook-Android/*"}

• Set-OrganizationConfig -EwsAllowList

Summary

We covered how to prepare for Exchange Online blocking EWS, a legacy protocol used to access mailbox data. From detecting active usage to identifying apps via Entra ID, the steps help you decide whether to block EWS entirely or control access with allowlists or blocklists in PowerShell.

Wishing you a smooth application review and a great day!

---

References:

• EWS (Exchange Web Services) to Microsoft Graph Migration Guide Series
• Identify applications using Exchange Web Services (EWS) APIs
• Retirement of Exchange Web Services in Exchange Online
• Introducing Exchange Web Services (EWS) Usage Reports in Microsoft 365 Admin Center
• Microsoft 365 Reports in the admin center – EWS usage

Kommentare