EWS in Microsoft 365: Why You Must Act Now
As Microsoft 365 continues to evolve, one of the most impactful changes underway is the retirement of Exchange Web Services (EWS) in Exchange Online. While EWS has served as a core integration protocol for over a decade, Microsoft has made it clear: EWS is on the way out…. so time to say bye bye
Starting October 1, 2026, EWS access for non-Microsoft apps will be permanently blocked. But the implications come much sooner. Already in August 2025, Microsoft is enforcing temporary EWS outages to drive adoption of its newer, more secure architecture. If your organization is still depending on EWS—whether for calendar syncing, hybrid coexistence, or legacy automation—you risk business disruption, data access failure, or worse: exposure to unpatched security vulnerabilities.
To prepare, it’s essential to understand:
- Where EWS may still be used
- Why Microsoft is retiring it
- What steps you must take to mitigate impact
Let’s explore the historical and current use cases for EWS, and why acting now is critical to ensuring service continuity and strong security posture.
The Many Faces of EWS: Past & Present Use Cases
1. Legacy App Integrations
Third-party applications like Zoom, Cisco, or internal calendar tools historically relied on EWS to access mailbox data, delegate permissions, or manage calendar availability. This includes conference room systems, service bots, and internal line-of-business apps.
Zoom guide on EWS-based integration:
https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0077079
Office365ITPros article on Zoom, Cisco & other apps:
https://office365itpros.com/2025/04/29/exchange-web-services-apps/
2. Hybrid Coexistence Features
Features like Free/Busy lookup, MailTips, and photo sharing between Exchange Online and on-prem Exchange all rely on EWS-based hybrid authentication. These use a shared Microsoft-managed service principal.
Microsoft TechCommunity – Hybrid Exchange security changes:
https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-server-security-changes-for-hybrid-deployments/ba-p/4396833
3. Migration and Backup Tools
EWS has powered mailbox migration, backup, and journaling tools for years. Tools like Quest, Transvault, and AvePoint often use EWS to extract messages, folders, and rules.
4. Automation and Admin Scripts
Administrators used EWS in PowerShell scripts to manage rules, folders, calendars, and more—often bypassing more modern APIs due to familiarity or simplicity.
Microsoft’s EWS Retirement Timeline
Oct 2026: EWS for 3rd-party apps permanently blocked in Exchange Online
Oct 2025: Shared hybrid EWS service principal deactivated
Aug–Oct 2025: Microsoft enforcing rolling EWS traffic blocks
Sources:
- Official EWS retirement blog:
https://techcommunity.microsoft.com/t5/exchange-team-blog/retirement-of-exchange-web-services-in-exchange-online/ba-p/3924440 - EWS API deprecation notice:
https://techcommunity.microsoft.com/t5/exchange-team-blog/upcoming-api-deprecations-in-exchange-web-services-for-exchange/ba-p/2813925 - Microsoft Learn – EWS deprecation:
https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-ews-exchange-online
🛡️ Security Risk: CVE-2025-53786
Microsoft disclosed a high-risk vulnerability where attackers with admin access to on-prem Exchange could escalate privileges in Exchange Online via the shared hybrid EWS integration. This was formalized as:
CVE details:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53786
Microsoft blog post explaining the risk:
https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-server-security-changes-for-hybrid-deployments/ba-p/4396833
The solution? Replace the shared EWS principal with a dedicated hybrid app created in Entra ID.
https://learn.microsoft.com/en-us/exchange/hybrid-deployment/deploy-dedicated-hybrid-app
What You Should Do
1. Identify EWS Usage
- Use Entra ID Sign-in Logs:
https://entra.microsoft.com - Microsoft 365 Admin Center EWS usage report:
https://office365itpros.com/2025/04/29/exchange-web-services-apps/
2. Replace EWS with Microsoft Graph
- Microsoft Graph overview:
https://learn.microsoft.com/en-us/graph/overview
3. If Hybrid, Deploy Dedicated App Now
- Hybrid app setup guide:
https://learn.microsoft.com/en-us/exchange/hybrid-deployment/deploy-dedicated-hybrid-app - Download Hybrid Configuration Wizard:
https://aka.ms/HybridWizard
Final Checklist ready to go
| Task | Deadline | Source |
|---|---|---|
| Identify EWS usage | ASAP | https://office365itpros.com/2025/04/29/exchange-web-services-apps/ |
| Replace third-party EWS apps | Before Oct 2026 | https://techcommunity.microsoft.com/t5/exchange-team-blog/retirement-of-exchange-web-services-in-exchange-online/ba-p/3924440 |
| Create dedicated hybrid app (if needed) | Before Oct 31, 2025 | https://learn.microsoft.com/en-us/exchange/hybrid-deployment/deploy-dedicated-hybrid-app |
| Test hybrid coexistence & Graph readiness | Before Sept 2025 | https://techcommunity.microsoft.com/t5/exchange-team-blog/dedicated-hybrid-app-temporary-enforcements-new-hcw-and/ba-p/4440682 |
BYE BYE EWS
EWS has served the Microsoft ecosystem well, but its time is over. The new era centers around Microsoft Graph, app-specific permissions, and secure cloud-native architecture. Whether you run a hybrid setup or have legacy integrations in place, now is the time to audit, migrate, and harden your environment—before Microsoft enforces it for you.
