Exchange Online EWS Retirement Plan: Oct 2026 Disablement to Apr 2027 Shutdown

Microsoft has confirmed that Exchange Web Services in Exchange Online will begin global disablement in October 2026 and be fully disabled in April 2027. The practical answer for admins is clear: inventory EWS use now, assign an owner to every dependency, classify each workload by its replacement path, pilot the replacement, allow-list only documented exceptions, and review those exceptions monthly until they disappear.
WindowsForum’s own reporting has tracked this from several operational angles: the October 2026 allow-list deadline, the April 2027 shutdown, EWS migration planning, admin action plans, the June 2026 EWSAllowedAppIDs update, and the Exchange Online Admin API preview. The common thread is simple: this is not just a developer migration. It is a tenant-wide dependency cleanup that Exchange administrators, identity teams, app owners, vendors, security teams, and business owners need to manage together.
The key dates are now fixed enough to plan against. October 2026 is when Microsoft begins tenant-by-tenant Exchange Online EWS disablement. April 2027 is the final shutdown. Between those points, EWSAllowedAppIDs becomes the critical control for organizations that still have known, approved EWS dependencies that cannot be removed before enforcement begins.

Infographic dashboard showing a legacy authentication decommissioning plan, timeline, risks, and migration status.What Changed on June 19, 2026​

The important operational update is EWSAllowedAppIDs. Microsoft is rolling out this mechanism so Exchange Online administrators can define which application IDs are allowed to continue using EWS during the final phase of retirement.
That changes the project from a broad “find and migrate EWS someday” exercise into an allow-list governance problem. If an application still needs EWS as October 2026 approaches, it should not be treated as ordinary background traffic. It needs to be identified, owned, justified, tracked, and reviewed.
EWSAllowedAppIDs should be understood as a temporary bridge for the final phase, not a permanent survival plan for EWS. It gives administrators a way to restrict remaining EWS access to specific known applications rather than leaving access broadly available. That is useful, but it also raises the standard for documentation. An application that deserves a place on the list should have a named business owner, a technical owner, a migration plan, a test status, and a review date.
WindowsForum’s report on EWSAllowedAppIDs framed the June 2026 change as the operational anchor for Exchange administrators: before phased disablement begins in October 2026, tenants need to know which applications are still using EWS and which, if any, will be explicitly allowed to continue during the transition.

October 2026 Is the Start of Enforcement, Not the Day to Start Planning​

The most dangerous misunderstanding is treating October 2026 as a reminder date. It is not. It is the start of global EWS disablement for Exchange Online tenants.
That matters because many organizations handle Microsoft 365 deprecations as if the final shutdown date is the only real deadline. For EWS, that approach is risky. The enforcement period starts months before the April 2027 finish line, and the tenants that wait until the last moment will be sorting through unknown application traffic while controls are already tightening.
WindowsForum users have been circling the same concern in different ways: the allow-list deadline, the 2027 shutdown, migration planning, and the need for an admin action plan. The recurring lesson is that EWS retirement is less about reading one Microsoft announcement and more about finding every hidden dependency in a live tenant.
Old EWS use can hide in backup tools, archive connectors, room-booking systems, CRM integrations, helpdesk platforms, custom provisioning scripts, reporting jobs, and abandoned internal applications. Some of those apps may have obvious owners. Others may be tied to old service accounts or app registrations that nobody has reviewed in years. The problem is not only technical. It is organizational.

Use a Six-Step Operating Plan​

Vague guidance such as “test the replacement before October 2026” is not enough. Administrators need a repeatable sequence that can be tracked.
Use this six-step plan:
  1. Inventory observed EWS use. Use Microsoft’s EWS usage reporting and tenant telemetry to identify applications, service principals, accounts, and workloads still calling EWS.
  2. Assign an owner. Every dependency needs a technical owner, a business owner, and, where relevant, a vendor contact.
  3. Classify by destination. Decide whether the workload belongs on Microsoft Graph, the Exchange Online Admin API, Exchange Online PowerShell, a vendor replacement, retirement, or a temporary EWS allow-list entry.
  4. Pilot the replacement. Test the replacement with real workflows, realistic mailbox scope, permissions, error handling, and operational monitoring.
  5. Allow-list only exceptions. Use EWSAllowedAppIDs only for known applications that cannot be migrated before enforcement and that have documented business justification.
  6. Review monthly. Revisit every exception, owner, vendor dependency, and migration status until the allow list is empty.
This sequence is short enough to run as a weekly migration board and concrete enough to keep the work from becoming a spreadsheet that nobody trusts.

The First Job Is a Live EWS Inventory​

The first concrete task is to build a live inventory of observed EWS use. Microsoft’s EWS usage reporting is intended to help identify applications still calling EWS. Treat that reporting as the starting point, not the whole answer.
The exact Microsoft 365 admin center navigation path for EWS usage reporting should be confirmed in your tenant. Microsoft 365 admin center layouts and report locations can change, and the source material available here does not establish a stable click path that should be promised as universal. If your tenant exposes the report in a different location or under a changed label, rely on the current Microsoft 365 admin center experience and Microsoft’s current documentation for the precise UI path.
What matters operationally is the output. You need to know which application identities are generating EWS activity, which mailboxes or users are involved, what kind of operations appear to be in use, and whether the traffic maps to a known business process.
Do not treat this as a one-time export. EWS dependencies can be seasonal, tied to monthly reporting, triggered by quarterly finance processes, or hidden in rarely used workflows. A short observation window may miss a system that only runs occasionally but still matters.
A good inventory should capture:
FieldWhy it matters
Application ID or identityNeeded for ownership, investigation, and possible EWSAllowedAppIDs decisions
Service account or app registrationHelps map technical authentication to business purpose
Mailbox or user scopeShows blast radius and priority
Vendor or internal ownerDetermines who must remediate
EWS operation patternHelps classify the replacement path
Business purposeSeparates critical workflows from stale traffic
Replacement candidateGraph, Admin API, PowerShell, vendor upgrade, retirement, or temporary allow-list
Target migration datePrevents “known issue” from becoming permanent
Exception review dateKeeps allow-list entries from drifting
If an application has no owner, that is not a reason to ignore it. It is a reason to escalate it. Ownerless EWS traffic is exactly the kind of dependency that becomes a production incident during phased disablement.

Use the EWS Analyzer for Code, but Do Not Stop There​

Microsoft’s EWS Analyzer can help developers identify EWS usage in application code. That is important for internal apps, old automation, scheduled jobs, and repositories where EWS calls may not be obvious to current maintainers.
The Analyzer should be part of the engineering workstream, but it does not replace human review. It can help identify EWS patterns; it cannot decide whether a rewritten workflow has the right permissions, whether error handling is safe, whether paging and throttling are covered, or whether the new behavior matches the business process.
Microsoft’s migration guidance also includes AI-assisted refactoring as a possible aid. Treat that as an accelerator, not a guarantee. AI assistance may help locate patterns, propose replacements, or speed up repetitive code changes, but production Exchange workflows still need code review, security review, test coverage, and operational validation.
For internal code, the useful question is not merely “Where is EWS used?” It is “What Exchange capability is this code actually relying on?” The answer determines the destination.

Classify Workloads by Destination​

The migration board should be organized around workloads, not protocol labels. EWS is the protocol being retired, but the replacement path depends on what the application does.
WorkstreamFindClassifyDestinationTemporary allow-list?Owner
Mail and calendar appsApp IDs, vendors, service accounts, mailbox scopeUser-facing app, background sync, calendar, message, folder, or mailbox workflowMicrosoft Graph where scenario coverage fitsOnly if migration cannot complete before enforcementApp owner plus Exchange admin
Administrative automationScripts, portals, middleware, service toolsDelegation, permissions, group, configuration, or other admin workflowExchange Online Admin API for supported scenarios; Exchange Online PowerShell where neededOnly for documented gapsExchange automation owner
Vendor productsObserved traffic matched to product and versionSupported, unsupported, roadmap pending, unknownVendor-supported non-EWS release or replacementOnly with vendor commitment and business approvalBusiness owner plus vendor manager
Internal codeRepositories, deployed scripts, scheduled jobsProduction app, utility, abandoned code, one-off automationGraph, Admin API, PowerShell, or retirementAvoid unless business-critical and actively migratingDevelopment lead
Unknown trafficApp registrations, sign-in logs, mailbox impactCritical, low-risk, stale, suspiciousRemove, replace, or block after validationDo not allow-list without an ownerSecurity plus Exchange admin
This structure keeps the discussion practical. It also prevents one common mistake: assuming every EWS dependency has the same replacement.

Graph Is a Candidate for Mailbox and Calendar Scenarios, Not a Magic Drop-In Replacement​

For mailbox, message, user, and calendar-centric applications, Microsoft Graph will often be the destination teams evaluate first. But EWS and Graph are not drop-in equivalents, and the migration still requires design work.
Developers need to map EWS operations to supported Graph capabilities, review delegated versus application permissions, validate mailbox scope, test throttling behavior, and confirm that the data model matches the application’s expectations. A Graph migration that only works with overly broad permissions has solved one problem while introducing another.
The right framing is practical: if the workload is a mailbox or calendar application, evaluate Graph coverage early. If Graph covers the scenario, pilot it with real users and realistic data. If it does not cover the scenario cleanly, document the gap rather than pretending the migration is done.
This is also where permissions matter. Many older EWS deployments grew around broad mailbox access patterns. Moving to a modern API surface should be used as a chance to reduce privilege, not simply to recreate the same access model under a new protocol.

The Exchange Online Admin API Is for Specific Administrative Scenarios​

The Exchange Online Admin API deserves careful attention because some administrative EWS dependencies may fit there. Microsoft has positioned it as a REST-based, cmdlet-style administrative surface for specific Exchange Online admin scenarios affected by EWS retirement.
The important word is specific. Teams should not assume that every EWS-based administrative workflow belongs on the Admin API, and they should not assume that every Exchange management task should be moved there. Validate the exact scenario before committing.
For production planning, test against real workflows:
  • Does the API support the operation you need?
  • Are the required parameters available?
  • Does the permission model fit your application?
  • Does the response shape support your automation?
  • Are paging, throttling, and partial failures handled?
  • Does the workflow behave the same way as the current EWS or PowerShell process?
  • Is the API available in your tenant and suitable for your production timeline?
Some workflows may be better handled by Exchange Online PowerShell. Others may fit the Admin API because they need a REST-first administrative surface and do not want to host PowerShell execution. The decision should be scenario-based, not trend-based.
WindowsForum’s report on the Exchange Online Admin API public preview captured that distinction: it is a guided migration path for certain Exchange admin scenarios, not a universal answer for every Exchange management workflow.

EWSAllowedAppIDs Is Exception Management​

EWSAllowedAppIDs should be managed like an exception register. That means every allowed application should have documentation that answers five questions:
  1. What is the application?
  2. Who owns it?
  3. Why does it still need EWS?
  4. What is the migration or retirement path?
  5. When will the exception be reviewed again?
If an application cannot answer those questions, it should not be casually placed on the allow list.
The danger is that organizations will discover a long list of EWS callers, allow-list all of them, and call the project complete. That would defeat the purpose of the final-phase control. The allow list should shrink over time. If it grows as October 2026 approaches, the migration program is probably losing control.
A disciplined allow-list entry should include:
Required itemExample of the decision it supports
Application IDConfirms the exact app being allowed
Business ownerIdentifies who accepts continuity risk
Technical ownerIdentifies who can fix or migrate it
Vendor contactSpeeds escalation for third-party apps
Mailbox scopeShows impact if EWS access fails
Replacement pathPrevents the exception from becoming permanent
Review dateForces monthly governance
Removal criteriaDefines what “done” means
EWSAllowedAppIDs is useful because it forces specificity. It turns vague protocol risk into named application risk.

Vendors Need Deadlines, Not Compatibility Promises​

Every tenant inventory will produce vendor-owned applications that still use EWS. This is where many organizations lose time.
Do not ask vendors only whether they “support Microsoft 365” or “support Graph.” Those answers are too vague. Ask operational questions:
  • Is the application still using EWS in Exchange Online?
  • Which versions remove EWS dependency?
  • What replacement API or management surface does the product use?
  • Are new permissions, admin consent, or app registrations required?
  • What configuration changes are needed?
  • What is the supported migration process?
  • What is the vendor’s timeline before October 2026?
  • What happens if the tenant restricts EWS with EWSAllowedAppIDs?
If a vendor cannot answer, put the application in the risk register. “Waiting on vendor” is not a status; it is a dependency that needs escalation.
Contracts and renewals should also reflect the timeline. Any renewal that runs beyond October 2026 should include explicit language about EWS retirement readiness. Business owners do not need to understand every API detail, but they do need to know whether a product they fund will continue working when Exchange Online starts disabling EWS.
WindowsForum’s EWS planning coverage has repeatedly emphasized that vendor and owner discovery is one of the hardest parts. That matches real-world tenant experience: the protocol problem is technical, but the migration blocker is often ownership.

Midnight Blizzard Raised the Security Urgency​

Microsoft’s EWS retirement materials connect the urgency of the work to the January 2024 Midnight Blizzard incident and indicate that the scope of the effort widened beyond third-party application cleanup. The safe operational takeaway is narrow but important: Microsoft has tied EWS retirement to security urgency, not just platform modernization.
For administrators, that means the EWS inventory should not be treated only as an app compatibility exercise. It is also a security review of legacy mailbox access paths, service principals, app permissions, and poorly understood automation.
Security teams should be part of the migration board. They can help review application permissions, investigate unknown traffic, evaluate stale service principals, and decide whether some EWS activity should be removed rather than migrated.
The retirement creates an opportunity to reduce risk. Do not waste it by simply moving old broad-access patterns into new broad-access patterns. Every migration should ask whether the application still needs the access it has.

Testing Should Rehearse the Cutoff Before Microsoft Does​

A plan that ends with “migrate before October 2026” is too weak. Administrators need rehearsals that prove the tenant can operate with EWS restricted.
Start with low-risk users, test mailboxes, or controlled application groups. Restrict or reduce EWS access using supported controls, observe failures, compare the results with the inventory, and update the migration board. If something breaks that was not expected, the inventory is incomplete. If reports still show traffic after a migration, the application may not actually be off EWS.
For migrated applications, validation should include:
  • Functional testing with real workflows
  • Permission review
  • Mailbox scope validation
  • Monitoring and alerting
  • Error handling
  • Rollback criteria
  • Helpdesk routing instructions
  • Business-owner signoff
Helpdesk readiness matters. Users usually will not report “EWS failed.” They will report that calendar sync stopped, a room-booking system failed, a CRM stopped filing mail, an archive connector stopped ingesting content, or a workflow stopped updating mailbox data. Support teams need enough context to route those symptoms quickly.

The Real Calendar Has Three Milestones​

Keep the dates separate.
MilestoneMeaningAdmin action
NowInventory and migration windowFind EWS use, assign owners, classify workloads, begin pilots
October 2026Start of global Exchange Online EWS disablementOperate only with known migrated workloads and documented allow-list exceptions
April 2027Full EWS disablementNo remaining Exchange Online EWS dependency should be expected to survive
Confusing those dates leads to bad planning. If a team treats April 2027 as the only deadline, it may enter the enforcement period with unknown dependencies. If a team treats October 2026 as the final panic date, it may overuse the allow list instead of migrating.
The disciplined approach is to use the time before October 2026 to eliminate mystery traffic, use the enforcement period only for governed exceptions, and reach April 2027 with no business process still depending on EWS.

Build the Migration Board Around Decisions​

A useful EWS migration board should not be a static list of applications. It should drive decisions.
Each entry should answer:
  • What did we observe?
  • Who owns it?
  • What business process depends on it?
  • What is the replacement path?
  • What is the pilot status?
  • What permissions are required?
  • What vendor action is pending?
  • Is an allow-list exception needed?
  • When will the exception be reviewed?
  • What is the removal date?
This is how WindowsForum’s separate EWS reports fit together. The October 2026 allow-list deadline gives the project urgency. The April 2027 shutdown gives it a hard endpoint. The EWSAllowedAppIDs update gives administrators a control for the final phase. The usage reports and EWS Analyzer support discovery. The Admin API preview gives some administrative workflows a possible REST-based path. The Midnight Blizzard context explains why security teams should care.
The result should be a working board, not a memo.

Practical Admin Checklist​

Use this checklist to turn the timeline into action:
  • Start EWS usage reporting review now.
  • Confirm the current Microsoft 365 admin center reporting path in your tenant.
  • Export or record observed EWS application activity.
  • Match app IDs and service accounts to known systems.
  • Investigate unknown or ownerless traffic.
  • Assign a business owner and technical owner to every dependency.
  • Run EWS Analyzer against internal code repositories and deployed scripts.
  • Classify each workload by destination.
  • Evaluate Microsoft Graph for mailbox, mail, user, and calendar-centered app scenarios where coverage fits.
  • Evaluate the Exchange Online Admin API for supported administrative scenarios.
  • Keep Exchange Online PowerShell in scope for management automation where it remains the appropriate surface.
  • Press vendors for specific non-EWS migration plans.
  • Pilot replacements with real workflows.
  • Review permissions before production rollout.
  • Prepare helpdesk routing for EWS-related symptoms.
  • Use EWSAllowedAppIDs only for known, justified exceptions.
  • Review allow-list entries monthly.
  • Remove exceptions as migrations complete.
  • Treat April 2027 as the point by which no Exchange Online EWS dependency should remain.

Frequently Asked Questions​

Is EWS being retired for Exchange Online?​

Yes. Microsoft has confirmed that Exchange Web Services in Exchange Online will begin global disablement in October 2026 and will be fully disabled in April 2027.

What should admins do first?​

Start with inventory. Use Microsoft’s EWS usage reporting and tenant investigation to identify observed EWS callers. Then assign an owner to each dependency, classify the workload, and begin pilot migrations.

What changed in June 2026?​

The key operational change is EWSAllowedAppIDs. It gives Exchange Online administrators a way to allow specific application IDs to continue using EWS during the final phase of retirement. It should be used for controlled exceptions, not as a blanket workaround.

Should every EWS app move to Microsoft Graph?​

No. Many mailbox, mail, user, and calendar-centered scenarios may be candidates for Graph, but every workload needs scenario mapping and testing. Some administrative workflows may fit the Exchange Online Admin API. Others may remain better suited to Exchange Online PowerShell or require vendor replacement.

What is the Exchange Online Admin API for?​

It is a REST-based, cmdlet-style administrative surface for specific Exchange Online admin scenarios affected by EWS retirement. It should be validated against exact workflows before production use.

Is the Admin API the answer for all Exchange automation?​

No. Treat it as a targeted option for supported administrative scenarios. Do not assume it covers every Exchange management workflow or every existing script.

What is EWSAllowedAppIDs?​

EWSAllowedAppIDs is the allow-list mechanism for the final phase of Exchange Online EWS retirement. It lets administrators specify which application IDs may continue using EWS while phased disablement is underway.

Should we allow-list all known EWS apps?​

No. Allow-list only documented exceptions that cannot be migrated before enforcement begins. Each exception should have an owner, business justification, migration path, review date, and removal criteria.

How often should the allow list be reviewed?​

Monthly is a practical minimum. The list should shrink over time. If it grows as October 2026 approaches, the migration program needs escalation.

What if an app has no owner?​

Treat it as a risk. Investigate the app registration, service account, mailbox scope, sign-in activity, and business impact. Do not allow-list unknown traffic without an accountable owner.

What should we ask vendors?​

Ask whether the product still uses EWS, which version removes that dependency, what replacement API or management surface is used, what permissions are required, what configuration changes are needed, and whether the vendor’s timeline completes before October 2026.

Why is Midnight Blizzard relevant?​

Microsoft’s EWS retirement materials connect the urgency of the retirement effort to the January 2024 Midnight Blizzard incident. For admins, the practical implication is that EWS cleanup should be treated as both an application modernization project and a security risk-reduction effort.

What is the safest planning assumption?​

Assume October 2026 is the beginning of enforcement and April 2027 is the end of Exchange Online EWS availability. By October 2026, unknown EWS traffic should be gone or under investigation, migrated workloads should be tested, and any remaining EWS use should be governed through tightly documented exceptions.

References​

  1. Primary source: learn.microsoft.com
  2. Primary source: WindowsForum
 

Back
Top