Skip to content

EWS access control changes in Exchange Online

4 min read · For Email Sidebar users on:

Overview

Starting in April 2025, Microsoft is changing how the EWSEnabled setting works in Exchange Online. These changes align with Microsoft’s plan to retire EWS in Exchange Online by October 2026.

To ensure Revenue Grid solutions continue functioning without interruption, Exchange Online administrators must verify that the EWSEnabled flag is set to true for users who connect via EWS at both the organization (tenant) and user (mailbox) levels.

If EWS is not explicitly enabled at both levels, EWS requests will be blocked, and Revenue Grid solutions will stop functioning for affected users.

For more details, refer to The way to control EWS usage in Exchange Online is changing.


What is changing in EWS access control

EWS access in Exchange Online is controlled by the EWSEnabled setting, which can be configured at both the organization (tenant) level and user (mailbox) level:

  • true – EWS access is allowed.
  • false – EWS access is denied.
  • null – The setting is not enforced at that level.

Previous behavior

Previously, user-level settings took priority over the organization-wide setting:

Organization level User level EWS access
true or <null> true or <null> Allowed
true or <null> false Not allowed
false true Allowed (user-level setting overrides org setting)
false false or <null> Not allowed

This configuration allowed individual user settings to override organization-wide policies, leading to inconsistencies.


New behavior

Starting in April 2025, Microsoft is changing this behavior so that EWS is only allowed when both the organization and user-level settings permit it:

Organization level User level EWS access
true or <null> true or <null> Allowed
true or <null> false Not allowed
false true or <null> Not allowed
false false Not allowed

To summarize, EWS access will only be permitted if enabled at both the organization and user levels.


How to prepare for EWS access changes

To ensure uninterrupted access to Revenue Grid solutions, administrators must verify whether:

  1. Revenue Grid is using EWS (including EWS App-Only).
  2. EWS is enabled at the Exchange Online organization (tenant) level.

If Revenue Grid does not use EWS to access your users’ mailboxes, no action is needed—these changes will not affect your organization.

If Revenue Grid does use EWS, you must ensure that EWS is enabled in Exchange Online at both the organization and user levels for affected users.


Step 1: Determine if Revenue Grid uses EWS

To check if Revenue Grid is using EWS API, review the Mailbox access type at both the profile and user levels in the Revenue Grid Admin Panel.

Verify EWS usage at the profile level

  1. Log in to the Revenue Grid Admin Panel and go to Profiles.
  2. Locate the needed profile and check the Mailbox access type column.

Tip

If the Mailbox access type column is not visible:

  1. Click the Gear icon ().
  2. Select the checkbox next to Mailbox access type to display it.

If the Mailbox access type includes EWS API, EWS must be enabled in Exchange Online at both the organization and user levels for users assigned to this profile.

If the Mailbox access type is set to Any, the actual access type varies per user. In this case, proceed to checking user-level connectivity settings.


Review EWS usage for individual users

  1. Log in to the Revenue Grid Admin Panel and do one of the following:
    • Go to the Users page to view all users.
    • Navigate to Profiles → Users to view users associated with a specific profile.
  2. Check the Mailbox access type for each user.

If a user’s Mailbox access type includes EWS API, then EWS must be enabled for this user in Exchange Online at both the organization and user levels.


Step 2: Confirm if EWS is enabled at the Exchange Online organization level

To verify whether EWS is enabled for your organization in Exchange Online, use Exchange Online PowerShell:

  1. Connect to Exchange Online PowerShell:

    Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com
    
  2. Check if EWS is enabled at the tenant level:

    Get-OrganizationConfig | Select EwsEnabled
    

If the output is true, EWS is enabled, and no further actions are required.

If the output is false, EWS is disabled. To enable it, follow How to enable EWS at the Exchange Online organization (tenant) level.


Verify if EWS is enabled at the Exchange online user level (optional)

If your organization has already been using Revenue Grid, EWS is likely enabled for existing users in Exchange Online, so there is no need to check their settings.

However, if you want to double-check the setting or ensure that new users have EWSEnabled set to true, follow the instructions below.

Check EWS status for a single Exchange Online user

  1. Connect to Exchange Online PowerShell:

    Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com
    
  2. Check if EWS is enabled for a specific user:

    Get-CASMailbox -Identity user@yourdomain.com | Select EwsEnabled
    

If the output is true, no action is needed.

If the output is false, enable EWS for this user. See Activate EWS for a specific user.


Determine EWS status for a group of Exchange Online users

  1. Connect to Exchange Online PowerShell:

    Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com
    
  2. Check which users in the group have EWS disabled. Modify the filter Where-Object to match your organization’s attributes:

    Get-CASMailbox -ResultSize Unlimited | 
        Where-Object {$_.Department -eq "Sales" -and $_.EwsEnabled -ne $true} | 
        Select DisplayName, UserPrincipalName
    

If no users are listed, EWS is already enabled for all users in the group.

If users are listed, enable EWS for them. See Allow EWS for users in a specific group.


Summary

  • Beginning in April 2025, Exchange Online will require EWS to be enabled at both the organization and user levels for access to be allowed.
  • If EWS is disabled at either level, EWS requests will be blocked, preventing Revenue Grid solutions from functioning for affected users.
  • To avoid service disruptions, Exchange Online administrators must review and update EWS settings to ensure access remains enabled where needed.

See also