Microsoft sharpens the blocking axe for Exchange Web Services
Summary
Microsoft will start blocking Exchange Web Services (EWS) access for mailboxes that do not have the appropriate licence from 1 March 2026. Frontline-worker licences (Microsoft 365 / Office 365 F1 and F3) and Exchange Online Kiosk licences will no longer be allowed to use EWS in Exchange Online. Requests from ineligible mailboxes will receive an HTTP 403 response. Customers can restore EWS access only by moving affected users to supported plans (Exchange Online Plan 1 or 2, or Microsoft 365 / Office 365 E3 or E5).
The company has been deprecating EWS in Exchange Online since 2018 and announced retirement in 2023; full global disablement for all organisations is scheduled for October 2026. Microsoft recommends migrating to the Microsoft Graph API, though Graph does not yet cover every EWS capability. The change was accelerated in part after the “Midnight Blizzard” incident where EWS played a role in data theft.
Key Points
- From 1 March 2026, EWS access will be blocked for mailboxes without the correct licence, returning HTTP 403 for requests.
- Affected licences include Microsoft 365 / Office 365 F1 and F3 (frontline) and Exchange Online Kiosk.
- Workaround is to move users to Exchange Online Plan 1/2 or Microsoft 365 / Office 365 E3 or E5.
- Microsoft plans to disable EWS globally for Exchange Online by October 2026.
- Microsoft’s preferred replacement is the Graph API, but feature parity gaps remain for some EWS capabilities.
- The move was partly prompted by security incidents (eg. Midnight Blizzard) that highlighted EWS risks.
- EWS deprecation applies to Exchange Online; on-prem Exchange Server retains EWS for now.
Context and relevance
This matters if you run integrations, backups, clients or automation that rely on EWS in Exchange Online. Organisations using frontline or kiosk licences may see connectors stop working in March unless they upgrade licences or switch integrations to Graph. The October 2026 global disable date means there’s limited runway to complete migrations or rework custom tooling.
For IT teams, the story ties into broader trends: Microsoft pushing customers toward Graph, tightening security after high-profile breaches, and forcing license/architecture changes that can have cost and operational impact. If you manage mail flows, third-party connectors, or legacy clients, audit EWS use now.
Author style
Punchy: this is an important operational change for Exchange Online admins. If you have EWS-dependent tooling, don’t assume you can wait — the deadlines are explicit and non-negotiable. Read the detail and inventory your estate.
Why should I read this?
Quick and blunt — if any of your systems talk to Exchange Online via EWS, this affects you. It explains who gets blocked, when it starts, how to fix it and why Microsoft is pushing everyone off EWS. Save yourself a nasty surprise in March or October and check your integrations now.