Microsoft's Exchange Web Services (EWS) is set to be blocked for users without license rights, marking a significant shift in how applications access mailboxes and data stores in Exchange Online and Exchange Server. Starting March 2026, Microsoft will enforce strict access control, cutting off users with only Microsoft 365 or Office 365 F1 or F3 licenses, or Exchange Online Kiosk licenses, from using EWS. This move is part of Microsoft's ongoing commitment to enhance security and control mechanisms, especially after the Midnight Blizzard incident, which highlighted the vulnerabilities of EWS. The company is now urging users to transition to more comprehensive licenses, such as Exchange Online Plan 1 or 2, or Microsoft 365 or Office 365 E3 or E5 licenses, to avoid disruptions in their operations. The transition is expected to be challenging, but Microsoft has provided ample notice to ensure a smooth process. By October 2026, EWS will be globally disabled for all organizations, emphasizing the urgency of the change. This shift also underscores the importance of staying updated with Microsoft's evolving security measures and the limitations of the Graph API, which is the preferred alternative to EWS. The company is yet to respond to queries about the Graph API's feature parity, leaving users to consider the implications of this transition carefully.
