Overview
Microsoft has announced the deprecation of Exchange Web Services (EWS) for Exchange Online. Tenants may gradually experience EWS being disabled by default, with complete retirement scheduled for April 1, 2027.
Microsoft is transitioning functionality to Microsoft Graph APIs; however, not all required Graph capabilities are currently available to fully replace EWS in production environments. While Spanning 365 Backup has already migrated a significant portion of its core functionality to Microsoft Graph, certain Mail and Calendar backup and restore operations still depend on legacy Exchange Online (EWS) permissions.
Reference: http://techcommunity.microsoft.com/blog/exchange/exchange-online-ews-your-time-is-almost-up/4492361
Issue
Customers may encounter a 403 Forbidden error when the backup application attempts to access Exchange Web Services (EWS).
Cause
A 403 error typically indicates that:
- The application is allowed at the tenant level, but access is restricted or blocked at the user/mailbox level or by policy.
Resolution
Follow the steps below to identify and resolve the issue:
Using Exchange Admin Center (EAC):
- Sign in to the Exchange Admin Center as an Exchange administrator.
- Go to Recipients > Mailboxes.
- Select the required user’s mailbox.
- In the mailbox details pane, under the General tab, click on Manage email apps settings.
- Enable Exchange Web Services (EWS).
Using Exchange Online PowerShell:
1. Check Mailbox-Level EWS Access
Run the following command in Exchange Online PowerShell:
Get-CASMailbox user@domain.com | Select EwsEnabled
- If the value is False, enable it using:
Set-CASMailbox user@domain.com -EwsEnabled $true
-
If any changes are made to the above settings, we recommend reauthorizing the Spanning application and waiting 24 hours for Microsoft’s updates to fully propagate. This allows Spanning to detect and apply those changes.
- After reauthorization and the 24-hour period, please monitor the next scheduled backup for the affected user(s). Alternatively, you may initiate a manual backup for a specific user to confirm the updates have taken effect.
If the tenant-level value is False, we recommend enabling this setting organization-wide with assistance from Microsoft Support.
2. Verify Application Access Policy
Run the following command:
Get-OrganizationConfig | Select EwsApplicationAccessPolicy, EwsAllowList, EwsBlockList
- If the policy is set to EnforceAllowList, ensure the backup application is included in the EwsAllowList
3. Check for Per-User Overrides
Run:
Get-CASMailbox user@domain.com | Select EwsApplicationAccessPolicy
- This confirms whether mailbox-level policies are overriding organization-wide settings
4. Review Conditional Access Policies
Navigate to:
- Microsoft Entra Admin Center → Security → Conditional Access
Verify whether any policies are blocking:
- Legacy authentication
- Exchange Web Services (EWS)
- Specific users or groups
5. Review Sign-in Logs
Navigate to:
- Microsoft Entra Admin Center → Monitoring → Sign-in logs
Steps:
- Filter logs for the affected user
- Check for failed sign-ins
Look for:
- 403 errors
- Access blocked by Conditional Access policies
6. Check Security Defaults
Navigate to:
- Microsoft Entra Admin Center → Properties → Manage Security Defaults
- If enabled, Security Defaults may block legacy authentication used by EWS
Additional Notes
- As Microsoft continues to phase out EWS, it is recommended to monitor updates regarding Microsoft Graph API capabilities
- Ensure that your environment is prepared for the transition before the EWS retirement deadline
- Spanning will continue to enhance Graph-based functionality to minimize dependency on EWS
Summary
EWS deprecation is an ongoing transition, and interim configurations may cause access issues such as 403 errors. By validating mailbox settings, application policies, and security configurations, administrators can restore functionality for affected users while preparing for the long-term shift to Microsoft Graph APIs.