EWS Retirement 2026: Essential Steps for IT Admins Today

The retirement of Exchange Web Services (EWS) in Exchange Online is a critical event for IT administrators, marking the end of an era for a protocol that has long facilitated integrations with Microsoft’s email platform. This transition, slated for full implementation by October 2026, signifies a move towards modern, more secure, and feature-rich alternatives, primarily the Microsoft Graph API. Understanding the implications and taking proactive steps are paramount to ensuring a smooth operational continuity for your organization’s IT infrastructure.

Understanding the EWS Retirement Timeline and Impact

Microsoft first announced the deprecation of EWS in 2018, indicating that it would no longer receive new features, signaling a clear direction towards its eventual retirement. The official retirement date for Exchange Online was set for October 1, 2026, with a complete shutdown planned for April 1, 2027. This phased approach allows organizations time to adapt, but the urgency is increasing as the deadline approaches.

The primary driver behind this retirement is the need for enhanced security, improved scalability, and platform modernization. EWS, built nearly two decades ago, no longer aligns with current security standards and the demands of cloud-based services. The “Midnight Blizzard” security incident in January 2024 further accelerated Microsoft’s efforts to phase out legacy access methods like EWS.

This retirement exclusively impacts Exchange Online environments; EWS will continue to function for on-premises Exchange Server 2016 and 2019 installations. However, organizations with hybrid configurations where mailboxes reside in Exchange Online will be significantly affected. The cessation of EWS functionality will disrupt applications, custom scripts, and third-party tools that rely on it for accessing mailbox data, including emails, calendars, and contacts.

Identifying EWS Dependencies: A Critical First Step

The most crucial action for IT administrators is to accurately identify all applications, scripts, and services within their environment that currently depend on EWS. This can be a complex task, as EWS has been widely adopted for various integration purposes over the years. Microsoft provides tools and guidance to assist in this discovery process.

The Microsoft 365 admin center offers EWS usage reports that can help pinpoint applications and services making EWS calls. For more granular insights, administrators can leverage published PowerShell scripts designed to analyze EWS usage patterns. These scripts can help uncover less obvious dependencies, such as custom automation workflows, legacy data migration tools, or even some third-party backup solutions.

A thorough inventory should include custom-built applications, off-the-shelf software, middleware, and any scripts used for administrative tasks or data synchronization. Pay close attention to solutions that interact with mail, calendar, contacts, or other mailbox items, as these are prime candidates for EWS reliance.

Migrating to Microsoft Graph: The Recommended Path Forward

Microsoft Graph is positioned as the successor to EWS, offering a unified API endpoint for accessing data across the entire Microsoft 365 suite. It provides modern authentication capabilities, granular permissions, and improved efficiency compared to the SOAP-based EWS protocol. Migrating to Microsoft Graph is not just a recommendation; it’s the strategic direction for future development and integration within the Microsoft ecosystem.

The transition involves re-architecting or re-pointing applications that previously used EWS to utilize Microsoft Graph APIs. While Microsoft Graph has achieved near-complete feature parity for most common EWS scenarios, some gaps remain, particularly concerning specific admin functions, public folders, and archive mailbox access. Microsoft is actively working to close these gaps and provides extensive documentation, API mappings, and code samples to facilitate the migration process.

For developers and IT teams, this migration may involve significant code refactoring or re-implementation. Utilizing tools like GitHub Copilot for EWS to Microsoft Graph migration can streamline the coding phase. It’s essential to test thoroughly after migration to ensure all functionalities are working as expected and to address any performance differences.

Implementing an EWS Allow List and EWSEnabled Property Management

As part of the phased disablement, Microsoft is introducing an “AppID Allow List” feature, which allows administrators to explicitly permit specific applications to continue using EWS beyond the initial blocking dates. This feature is crucial for organizations that may not be able to migrate all EWS dependencies before the October 2026 deadline.

Starting in early 2026, administrators will be able to define this AppID Allow List within their tenant. To maintain EWS access for approved applications, the `EWSEnabled` property in the tenant configuration must be set to `True`, and the corresponding AppIDs added to the allow list. This configuration needs to be completed by the end of August 2026 to be excluded from the automatic blocking that begins on October 1, 2026.

Without proactive configuration, Microsoft will change the `EWSEnabled` property to `False` by default for many tenants, effectively blocking all EWS requests. While administrators can re-enable EWS by setting `EWSEnabled` to `True` even after October 1, 2026, it is strongly advised to complete the allow-listing process beforehand to avoid service interruptions. The `EWSEnabled` property can be managed via the Microsoft 365 admin center or through Exchange Online PowerShell.

Addressing Hybrid Scenarios and On-Premises Exchange

Organizations operating in a hybrid environment, with a mix of on-premises Exchange Server and Exchange Online, require specific considerations. EWS is not being retired for on-premises Exchange Server installations; it will continue to function normally. However, applications accessing data in Exchange Online from an on-premises setup must transition to Microsoft Graph.

A key challenge in hybrid environments relates to features like Free/Busy lookups, MailTips, and profile photo synchronization, which often rely on EWS through a Shared Service Principal. This principal was retired in October 2025, necessitating the adoption of a dedicated hybrid application in Entra ID and a transition to Graph-based authentication for these functionalities.

For on-premises mailboxes that need to interact with Exchange Online, it’s important to note that only Exchange Server Subscription Edition (Exchange SE) will support Graph for these calls. This means hybrid customers may need to upgrade their on-premises Exchange infrastructure to Exchange SE to maintain seamless integration with Exchange Online moving forward.

Security and Authentication: The Shift to Modern Protocols

The retirement of EWS is intrinsically linked to Microsoft’s broader security strategy, which emphasizes modern authentication protocols over legacy methods. EWS, being an older SOAP-based protocol, presents a larger attack surface compared to the RESTful Microsoft Graph API, which supports OAuth 2.0. The “Midnight Blizzard” incident highlighted the risks associated with legacy access methods, further underscoring the need for this transition.

For applications that previously used basic authentication with EWS, migrating to OAuth 2.0 with Microsoft Graph is essential. OAuth provides a more secure and flexible authentication model, allowing for granular permissions and reducing the risk of credential compromise. Registering applications in Microsoft Entra ID and obtaining appropriate permissions are key steps in enabling OAuth authentication for Graph API access.

This shift also impacts how applications interact with Exchange Online. While EWS offered broad access, Microsoft Graph allows for more precise control over data access through specific scopes and permissions. Administrators must ensure that applications are configured with the necessary permissions in Entra ID to function correctly after the EWS retirement.

Managing EWS Throttling and Performance

Even before the retirement, IT administrators have had to contend with EWS throttling policies, which are in place to ensure server stability and prevent resource exhaustion. These policies limit the number of requests an application can make within a given timeframe, which can impact the performance of migration tools, backup solutions, and custom integrations.

While direct modification of EWS throttling policies in Exchange Online is no longer possible for administrators, understanding these limits is still crucial. Microsoft may temporarily increase EWS throttling limits upon request through the Microsoft 365 Admin Center or by contacting Microsoft Support, particularly during critical migration periods.

To mitigate the impact of throttling, best practices include spacing out migration batches, avoiding heavy concurrent tasks, and limiting the frequency of requests to mailboxes. Designing applications to handle throttling gracefully, with appropriate retry mechanisms and back-off strategies, is also vital for maintaining operational continuity.

Preparing for the Final Shutdown: Actionable Steps for IT Admins

With the final shutdown of EWS in Exchange Online scheduled for April 1, 2027, organizations must have a comprehensive plan in place. This plan should encompass the following key actions:

* **Inventory and Assess:** Thoroughly identify all EWS dependencies using Microsoft’s reporting tools and scripts.
* **Prioritize Migration:** Categorize applications based on criticality and migration complexity. Focus on essential services first.
* **Migrate to Microsoft Graph:** Begin the process of re-architecting or reconfiguring applications to use Microsoft Graph APIs.
* **Configure Allow List:** If immediate migration is not feasible for all applications, configure the AppID Allow List and set `EWSEnabled=True` by the end of August 2026.
* **Update Hybrid Configurations:** Address any on-premises to Exchange Online integration requirements, potentially involving upgrades to Exchange SE.
* **Test Thoroughly:** Rigorously test all migrated applications and integrations to ensure full functionality and performance.
* **Document Changes:** Maintain clear documentation of all migrated applications, new configurations, and the rationale behind them.
* **Communicate Internally:** Keep stakeholders informed about the EWS retirement timeline, the migration progress, and any potential impacts.

The EWS retirement is a significant undertaking, but with careful planning and execution, IT administrators can navigate this transition successfully, ensuring their organization remains secure, compliant, and operationally efficient in the modern Microsoft 365 environment.