Microsoft Has Changed EWS Access: How it Impacts Mailbox Migration
Microsoft has announced a significant change in how Exchange Web Services (EWS) access is controlled within Exchange Online. The update is set to roll out worldwide this month. It’s a change aimed at providing administrators with more security and control over managing EWS.
While Microsoft is working toward disabling EWS starting in late 2026, the current fix is to take care of logic in the hierarchical structure that gave preference to user settings over the organizational setting. Here’s a simple summary of the before and after:
Old behavior: Previously, if the organization-level EWS setting was disabled (set to False), but a user’s mailbox-level EWS setting was enabled (set to True), that user could still access EWS. This allowed user-level settings to override organization-wide configurations, leading to potential inconsistencies in policy enforcement.
New behavior: With the change, EWS access is only permitted if both the organization-level and user-level EWS settings are enabled (set to True). This means administrators can’t be overridden at the user level. Settings controlled at the organization level ensure consistent and secure management of EWS access across the environment.
Implications for MigrationWiz users: If you use MigrationWiz for migrating Exchange Online, be sure to review and adjust your EWS settings to prevent disruptions. Here’s a handy guide:
- Check the organization-level EWS setting by running the following command in Exchange Online PowerShell:
- Get-OrganizationConfig | fl EWSEnabled
- If the EWSEnabled flag is empty (the default) or set to True, EWS is enabled at the organization level.
- If set to False, EWS is disabled organization-wide, which will block EWS access regardless of user-level settings.
- To review user-level EWS settings for a specific mailbox, or ensure that users requiring EWS access have it enabled, run:
- Get-CASMailbox [UserIdentity] | fl EWSEnabled
- Replace [UserIdentity] with the user’s identifier
- If your organization relies on EWS for migration or other services, adjust the settings to enable access at the organization level and at the user level as necessary. The changes by Microsoft provide better administrative control, so you can disable access at the organization level or for specific users.
Action Steps
With this change in administrative control to EWS access, it pays to do a quick review to make sure there are no unintended consequences for your organization. Here are recommended action steps:
- Audit your current EWS configurations: Review both organization-wide and user-specific EWS settings to understand your current setup.
- Update policies accordingly: Adjust your EWS settings to either permit or restrict access based on your organization’s needs.
- Communicate changes: Inform relevant stakeholders and users about the changes to prepare them for any potential impact on workflows involving EWS.
At BitTitan, we’re advocates of a “no surprises” approach to IT management. By proactively managing your EWS settings, you’ll maintain a logical structure in your Exchange Online environments and ensure seamless mailbox migrations.
For more detailed information, refer to Microsoft’s official announcement.