The way to control EWS usage in Exchange Online is changing

We are making a change to the behavior of the EWSEnabled tenant-wide switch in Exchange Online.

When this will happen:

This change will rollout worldwide, starting April 1, 2025

How this affects your organization:

If you want to restrict the usage of EWS in your tenant, this change might affect you. The current behavior of the EWSEnabled flag is that it can be set at both the tenant (organization) level and the user (mailbox) level. Currently, when the flag is set to true at the user level, it takes precedence over the organization-level setting. If a setting is Null, it means the setting is not enforced at that level. If Org and user-level are both Null, the default behavior is to allow. This hierarchical structure means that if the organization-level flag is set to false, but the user-level flag is set to true, EWS requests from that user are still allowed. In summary:

This approach has led to situations where it can be challenging for administrators to ensure uniform policy enforcement across their organization, particularly in large and complex environments.

New Behavior

To address these issues, we are altering the behavior so that EWS will only be allowed if both the organization-level and user-level EWSEnabled flags are true. Here's a simplified view of the new logic:

In short, EWS will be permitted only if both the organization and user-level allow it. This change ensures that administrators have better control over EWS access and can enforce policies more consistently across their entire organization

Next Steps:

Please check the blog for additional information and ensure your per-user and tenant wide settings are correct before this change is made to your tenant.

•  The way to control EWS usage in Exchange Online is changing