Table of Contents
Is Microsoft permanently retiring EWS for Exchange Online tenants in 2027?
The transition from Exchange Web Services (EWS) to Microsoft Graph is a critical infrastructure shift for any organization relying on Exchange Online. Microsoft has formalized the end-of-life timeline, creating a strict six-month window where tenant administrators must actively manage connectivity before a permanent shutdown.
The EWS Retirement Roadmap
Microsoft continues to modernize data access by replacing the 20-year-old Exchange Web Services (EWS) with Microsoft Graph. While planned since 2018, the rigid timeline is now set. This deprecation affects only Exchange Online and Microsoft 365 environments. Organizations running Exchange Server SE (on-premises) remain unaffected and retain full EWS functionality.
The retirement phase occurs between October 1, 2026, and April 1, 2027. During this interim period, Microsoft shifts control from a default “open” state to a “restricted” state, requiring manual intervention to keep legacy applications running.
Technical Enforcement and the EWSEnabled Property
Control relies on the EWSEnabled property within your tenant configuration. This property accepts three values: True, False, or Null (the current default).
Starting October 1, 2026, Microsoft changes the behavior for tenants where this property remains Null. The system will automatically switch these tenants to False, blocking all EWS traffic. To prevent service disruption, administrators typically have two configuration options during the six-month grace period:
- Restricted Access (Recommended): Set EWSEnabled to True. This enforces an AppID “Allow List,” permitting only specific, approved applications to communicate via EWS.
- Unrestricted Access: Manually set EWSEnabled back to Null via PowerShell. This overrides the Microsoft block and allows all applications to function without restriction until the final cutoff.
Required Administrative Actions
Administrators must audit their environment before October 2026 to prevent application failure.
Audit Traffic Immediately
Access the Microsoft 365 Admin Center to review EWS usage reports. Identify which applications currently rely on this protocol.
Populate the Allow List
Microsoft introduces an AppID Allow List feature in early 2026. Administrators should populate this list with critical legacy applications by August 2026 using Baseline Security Mode or Exchange Online PowerShell.
Configure Tenant Settings
Once the Allow List is active, update the EWSEnabled property to True. This ensures your approved apps function while securing the tenant against unauthorized EWS attempts. If you require broad access, you must proactively set the property to Null using Exchange Online PowerShell.
The Final Cutoff
On April 1, 2027, the grace period ends. Microsoft will permanently disable EWS for all Exchange Online tenants. At this stage, the EWSEnabled property becomes irrelevant, and administrators lose all ability to enable the protocol.
Any application not migrated to Microsoft Graph by this date will lose connectivity to Exchange Online data. Organizations must prioritize development resources now to refactor applications toward the Microsoft Graph API to ensure long-term stability.