Control EWS in Exchange Online
Hi All,
In end of February Microsoft has Annouced a new way to control the EWS Usage in Exchange Online. This is in preparation for the Retirement of EWS in October 2026
Unlike other Settings, for Example SMTP Basic Authentication, the EWSEnabled Property in the Exchange Online Organization Configuration can no longer be overridden via Set-CASMailbox on a individual Level.
You can look at it like a “Master” Switch that can be changed at the Tenant / Exchange Online Level.
Let’s have a look at the Setting
Connect-ExchangeOnline -ShowBanner:$false
Get-OrganizationConfig | fl EWSEnabled
There are even more Settings related to EWS
Get-OrganizationConfig | fl *EWS*
Individual Settings in Get-CASMailbox
Get-CASMailbox -Identity a.bohren@icewolf.ch | fl *ews*
New EWS Report
But how do you know when you can safely disable EWS in your Tenant.
There is a new EWS usage Report in the M365 Admin Center.
Link to EWS Usage Report in M365 Admin Center
As you can see, there are 6 EWS Apps over the last 90 Days that use EWS. You can Export and Download a CSV of these Apps.
Use Graph to find the Applications
You can use the Microsoft.Graph PowerShell Modules to get the Display Names of the Applications
Connect-MgGraph -Scope Application.Read.All -NoWelcome
Get-MgServicePrincipal -Filter "AppID eq 'cc15fd57-2c6c-4117-a88c-83b1d56b4bbe'"
We can use the CSV that was exported and make the AppID’s Unique
$csv = Import-Csv -Path C:\Users\a.bohren\Downloads\EWSWeeklyUsage_4_10_2025_14_53_15.csv
$csv[0]
$UniqueAppID = $csv.AppID | Sort-Object -Unique
$UniqueAppID
Then loop through the Unique App ID’s
Foreach ($AppID in $UniqueAppID)
{
$Filter = "AppID eq '" + $AppID + "'"
$SP = Get-MgServicePrincipal -Filter $Filter
Write-Host "AppID: $AppID DisplayName: $($SP.DisplayName)"
}
I was only able to resolve two of them. Some more are documented here:
| AppID | DisplayName |
|---|---|
| 00000002-0000-0ff1-ce00-000000000000 | Office 365 Exchange Online |
| 47629505-c2b6-4a80-adb1-9b3a3d233b7b | Microsoft Exchange Web Services |
| cc15fd57-2c6c-4117-a88c-83b1d56b4bbe | Microsoft Teams Services |
| d3590ed6-52b3-4102-aeff-aad2292ab01c | Microsoft Office |
Disable EWS
I’ve disabled EWS
Set-OrganizationConfig -EWSEnabled $False
Get-OrganizationConfig | fl EWSEnabled
The next Day, the Calendar in Microsoft Teams did not work anymore (Classic and New Calender)
I’ve already knew, Microsoft Teams was using EWS from playing around with the EWSAllowList
Summary
Reality of the situation is that today - many applications (Outlook and Teams included) still use EWS. Everyone (Microsoft included) will need to update their applications to stop using EWS before the 2026 deadline but indeed today - blocking EWS would likely break all kinds of stuff for most customers.
So it’s good to know we have a Master Switch, when all the Applications have moved to Graph - today it’s still to early as even Microsoft is not ready yet.
Regards
Andres Bohren
Exchange Logo
