Field note
Exchange Online EWS Retirement: October 2026
EWS retirement is not mainly an API project. For most organisations, it is a supplier and dependency problem hiding inside mail tools, line-of-business apps, scripts, and older clients.
Exchange Web Services is entering its final retirement phase in Exchange Online. Microsoft says phased disablement starts in October 2026 and EWS will be fully disabled in April 2027.
That does not mean every tenant stops on the same day in October. It does mean waiting for a failed application is now a poor migration strategy.
The practical job is to find the remaining EWS traffic, work out which business process creates it, and get a dated answer from the application owner or supplier.
Quick answer
Before October 2026:
- Export the Exchange Online EWS usage report for the last 90 days.
- Map each application ID to an owner, supplier and business process.
- Remove obsolete dependencies and test supported replacements.
- Use
EWSAllowedAppIDsonly as a controlled transition measure. - Keep evidence showing what was tested and who accepted any remaining exception.
An allow list is not a permanent alternative to migration. Microsoft describes Microsoft Graph as the long-term platform for most Exchange Online integration scenarios.
What actually changes
Microsoft has introduced a tenant-level EWSAllowedAppIDs list. It works with the organisation-level EWSEnabled setting and allows only named application IDs to use EWS.
The important behaviour changes when retirement enforcement begins:
| Tenant state | Before October 2026 | During retirement enforcement |
|---|---|---|
EWSEnabled is unset | EWS traffic is allowed | Microsoft will phase the tenant into EWS disabled |
EWSEnabled=True, allow list empty | EWS traffic is allowed | All EWS traffic is blocked |
EWSEnabled=True, allow list populated | Only listed apps are allowed | Only listed apps are allowed |
EWSEnabled=False | EWS traffic is blocked | EWS traffic is blocked |
The easily missed case is EWSEnabled=True with an empty list. Once enforcement applies, that becomes block-all, not allow-all.
Microsoft also warns that writing EWSAllowedAppIDs replaces the full current value. Administrators need to read the existing list, calculate the complete new list, then write it back. Treat that as a controlled change with before-and-after evidence.
Find the dependencies first
The EWS usage report is in the Microsoft 365 admin centre under Reports, Usage, Exchange, EWS usage. It can show 7, 30 or 90 days and is aggregated weekly.
Export the 90-day view. It includes:
- application ID
- SOAP action
- call volume
- last activity date in UTC
Do not stop at the application ID. A useful inventory explains what breaks if that app stops.
| Field | Example of the answer you need |
|---|---|
| Application | Supplier product or internal script name |
| Business process | Calendar sync, mailbox archive, case management, reporting |
| Owner | Named internal person, not just "IT" |
| Supplier position | Supported update, migration plan, or no plan |
| Replacement | Graph, updated client, redesigned workflow, or retirement |
| Test evidence | Date, test account, expected result, actual result |
| Exception end date | A real date before full EWS shutdown |
If the report shows an unfamiliar ID, check Enterprise Applications in Microsoft Entra ID. Also review the relevant Microsoft 365 Message Center posts because Microsoft is sending tenant-specific usage information.
Questions to send suppliers
Avoid asking only, "Do you support modern authentication?" That can produce a technically true but useless answer.
Ask instead:
- Does the current version of your product call Exchange Online through EWS?
- Which application ID should appear in our tenant report?
- Which supported version removes the EWS dependency?
- What replacement API or integration method does it use?
- What functions change during migration?
- What is your tested release date before October 2026?
- If an exception is required, when will it no longer be required?
Keep the response with the change record. A sales assurance without a version number and date is not migration evidence.
A safe test sequence
Start with discovery, not a tenant-wide switch.
- Take a fresh usage export and record current organisation settings.
- Identify a low-risk application with a known owner.
- Confirm its application ID from more than its display name.
- Test the replacement in a non-critical mailbox or controlled user group.
- Verify the full workflow, including calendar recurrence, delegated mailboxes, archives or service accounts where relevant.
- Recheck EWS usage after the test window.
- Add only approved temporary dependencies to the allow list.
- Schedule a second review before phased disablement begins.
Some EWS scenarios still have Microsoft Graph parity work in progress. That makes early testing more important, not less. A genuine feature gap needs an owned exception and migration plan; it should not become a reason to leave all EWS access unrestricted.
Evidence to keep
A compact retirement pack should include:
- dated 90-day EWS usage export
- current
EWSEnabledandEWSAllowedAppIDsstate - application-to-owner inventory
- supplier responses with product versions and dates
- test results for replacements
- approved exceptions and expiry dates
- final validation showing obsolete EWS traffic has stopped
This is enough to explain the risk to leadership and enough for an engineer to resume the work without repeating discovery.
Related route
If the EWS inventory exposes stale enterprise apps, broad permissions or ownerless integrations, fold the work into a wider Microsoft 365 security clean-up.
References
Related notes
11 Jul 2026 · 5 min
Related: smtp auth, exchange online, basic authentication.
19 Feb 2026 · 4 min
Related: exchange online, defender for office 365, mailbox audit.
11 Jul 2026 · 4 min
Related: conditional access, resource exclusions, microsoft entra id.
Need help mapping this to your own tenant, controls, or assessment timeline?