Get Ready for the EWS Retirement in Exchange Online

As we move closer to the retirement of Exchange Web Services (EWS) in Exchange Online, it’s crucial to get prepared. Microsoft has collaborated with various teams, independent software vendors (ISVs), and customers over the years to shift operations to Microsoft Graph and other modern APIs. While many of these transitions are already complete, there’s still work to do.

Introducing EWSAllowedAppIDs

In anticipation of phased EWS disablement set for October 2026, we’re rolling out a new feature called EWSAllowedAppIDs. This allows administrators to prepare in a systematic way. By managing an allow list of app IDs, you can pinpoint remaining dependencies and limit EWS access to just the applications that are necessary, minimising the risk of disruption.

Currently, all tenants can view this parameter when running Get-OrganizationConfig, but the ability to set the list will follow as the rollout progresses.

What is EWSAllowedAppIDs?

EWSAllowedAppIDs is essentially a tenant-level allow list that enables Exchange Online admins to specify which applications are still allowed to access EWS. When this is configured, only apps with IDs on this list will have EWS access while EWSEnabled is set to True at the tenant level.

This new feature aims to facilitate the move away from unrestricted EWS access towards a more controlled usage environment during the retirement phase.

Note: The existing EWSAllowList feature has operated based on User Agent rather than App ID. Although both features can work together, they tackle different components of the calling application.

Another advantage of this feature is that it allows administrators to:

• Locate which applications still depend on EWS.
• Limit EWS access to only those applications that are approved.
• Get ready for the final retirement of EWS in Exchange Online.

Understanding the Upcoming Changes

We’ve already communicated that EWS will begin its phased disablement in October 2026. To fully grasp the importance of EWSAllowedAppIDs, let’s review how Exchange Online will behave before and after this date.

Before October 2026

This phase allows admins to create and test an allow list without worrying about immediate disruption to existing applications.

Changes Post-October 2026

Starting October 2026, Exchange Online will transition tenants into a retirement enforcement phase. From this point, enabling EWS without an app allow list will no longer mean “everything goes.” Instead, it’ll serve as a block-all configuration unless an allow list is explicitly specified.

This shift in behaviour is crucial: after enforcement commences, setting EWSEnabled=True without an allow list will mean all traffic is blocked.

Why This Retirement Is Important

The aim isn’t simply to keep EWS running forever. It’s to confirm that EWS access is genuinely needed and limit that access to known applications. As we prepare for this transition, here’s what you should consider:

• Clearly identify which applications require EWS.
• Revise access to only those applications.
• Expedite migration to Microsoft Graph and other modern APIs.

Currently, many tenants may still have EWSEnabled set to Null, allowing unrestricted EWS access. As we approach the phased retirement, these will automatically have EWS disabled.

Steps to Ensure a Smooth Transition

Here’s how to prepare effectively:

1. Inventory EWS Usage: Identify all applications and services utilising EWS. Use the EWS usage reports from your tenant and review updates from the Message Center to stay informed.
2. Build Your Allow List: Create an EWSAllowedAppIDs allow list with apps still requiring EWS. If you’ve identified the apps you want to keep, you can easily create a list using a command like:

   Set-OrganizationConfig -EwsAllowedAppIDs "your-app-id-1,your-app-id-2"

3. Validate Applications: Ensure that all apps on your allow list function correctly and check for any dependencies you might have overlooked. If you need to add or remove an App ID from your list, make sure to read the full list first, tweak it, and then rewrite the entire updated list.

Example Commands for Managing Your Allow List

To add or remove an App ID, here are some examples:

Adding a New App ID

# Read the current allow list
$current = (Get-OrganizationConfig -RetrieveEwsOperationAccessPolicy | Select-Object -ExpandProperty EwsAllowedAppIDs)
# Define the new App ID
$newAppId = "your-new-app-id"
# Update the list
$updated = @($current, $newAppId)
Set-OrganizationConfig -EwsAllowedAppIDs ($updated -join ",")

Removing an App ID

# Read the current allow list
$current = (Get-OrganizationConfig -RetrieveEwsOperationAccessPolicy | Select-Object -ExpandProperty EwsAllowedAppIDs)
# Specify the App ID to dispose of
$removeAppId = "your-app-id-to-remove"
# Remove the specified App ID
$updated = $current -split "," | Where-Object { $_ -ne $removeAppId }
Set-OrganizationConfig -EwsAllowedAppIDs ($updated -join ",")

Final Thoughts

EWS has served the Exchange ecosystem well for nearly 20 years. However, with the growing needs for security, compliance, and efficiency, transitioning to a more modern API platform like Microsoft Graph is essential. By preparing now with the EWSAllowedAppIDs feature, organizations can ensure a smooth and predictable transition.

Take action today to avoid disruption when the phased retirement starts in October 2026. For ongoing updates and resources, visit the page on the deprecation of EWS in Exchange Online.

Frequently Asked Questions

What is the EWSAllowedAppIDs feature?

This feature allows administrators to create a list of App IDs for applications that can still access EWS during its retirement phase.

When will EWS be officially retired?

The phased disablement of EWS will commence in October 2026.

How can I prepare for EWS retirement?

Begin by inventorying which applications use EWS, creating an allow list for necessary applications, and validating those apps.