Table of Contents
- What’s Behind the Exchange Online Tenant Setting Issue? How Can You Regain Control?
- Technical Background and Root Cause
- Symptoms Reported
- Actionable Steps for Administrators
- Check Tenant-Level EWS Setting
- Update EWSEnabled Setting
- Verify Per-User Settings
- Monitor Microsoft Incident Reports
- Escalate Support Cases with Documentation
- Key Takeaways
What’s Behind the Exchange Online Tenant Setting Issue? How Can You Regain Control?
Since mid-May 2025, Exchange Online administrators have reported being unable to change mailbox settings or permissions across multiple Microsoft 365 tenants. Attempts to adjust permissions, set up mail redirects, or delegate mailbox access fail in both the Admin Center and Outlook, often with error messages indicating insufficient authorization-even for tenant admins.
The issue is widespread, affecting both shared and personal mailboxes, and has been confirmed by multiple IT professionals. Related problems have also been observed in SharePoint, such as hub site assignments not functioning as expected.
Technical Background and Root Cause
Microsoft introduced a significant change to the way Exchange Web Services (EWS) is managed in Exchange Online, rolling out globally from April 2025. Previously, enabling EWS at the user (mailbox) level could override the organization-wide (tenant) setting. Now, both the tenant and user-level EWSEnabled flags must be set to True for EWS functionality to work.
If the tenant-wide EWSEnabled flag is set to False, all EWS-dependent operations-including mailbox permission changes-are blocked, regardless of user-level settings. Microsoft incident EX1072592, dated May 13, 2025, confirms a code regression caused by a recent service update, which is preventing some users from utilizing Exchange Online features like auto-forwarding.
Symptoms Reported
- Inability to change mailbox permissions or set up redirects in the Admin Center or Outlook.
- Error messages indicating lack of authorization or referencing server-side issues, even for global admins.
- Microsoft Support requests for network traces and step-by-step recordings, but slow or ineffective resolution.
- Similar issues observed in SharePoint hub site assignments, suggesting broader Microsoft 365 service impacts.
Actionable Steps for Administrators
Check Tenant-Level EWS Setting
Run the following PowerShell command:
Get-OrganizationConfig | fl EWSEnabled
If EWSEnabled is False, mailbox operations relying on EWS will fail.
Update EWSEnabled Setting
To restore mailbox management capabilities, explicitly set the tenant-wide EWS flag to True:
Set-OrganizationConfig -EWSEnabled $true
This must be done even if user-level settings are already True.
Verify Per-User Settings
Check individual mailbox EWS settings:
Get-CASMailbox User1 | fl EWSEnabled
Ensure both tenant and user-level settings are aligned for required accounts.
Monitor Microsoft Incident Reports
Track ongoing incident EX1072592 and related updates from Microsoft for broader resolution.
Escalate Support Cases with Documentation
Provide clear logs, error messages, and configuration screenshots to Microsoft Support for faster escalation.
Key Takeaways
- The inability to change Exchange Online tenant settings since mid-May 2025 is directly linked to Microsoft’s new enforcement of the EWSEnabled flag at both the tenant and user level.
- Immediate remediation requires updating the tenant-wide EWS setting to True, followed by verification of per-user settings.
- Staying informed of ongoing Microsoft service incidents and proactively managing EWS settings will help maintain administrative control and minimize business disruption.