EWS Retirement 2026: How to Find Legacy Exchange Integrations Before They Break

The 2026 EWS timeline

Microsoft first announced the EWS retirement in 2018 and reconfirmed the schedule in 2023 with a phased plan landing the active changes in 2026 and the final shutdown in 2027. The timeline below reflects the published guidance at the time of writing; Microsoft has adjusted dates before, so validate against Microsoft Learn and the Microsoft 365 Message Center before relying on a date in a customer communication.

The new control surface: EWSEnabled + AppID Allow List

Microsoft introduced a tenant-level control to manage EWS access during the retirement window. The control has two parts.

• EWSEnabled — a tenant-wide switch that gates whether EWS requests are accepted. Default behaviour shifts on 1 October 2026: tenants that did not proactively set EWSEnabled = True by the end of August 2026 are switched to False.
• AppID Allow List — a list of Microsoft Entra ID application identifiers that are permitted to use EWS when EWSEnabled = True. Applications not on the list are blocked even when the tenant-level switch is on.

The mechanism gives admins the ability to keep specific apps working past 1 October 2026 while a migration plan is delivered, without leaving EWS open to every app in the tenant. The configuration is done via Exchange Online PowerShell at the time of writing; expect a portal experience to follow.

Discovery: four methods to find EWS usage in your tenant

The discovery work has four sources. Each one tells you something the others miss. Use them together rather than picking one.

Method 1 — EWS Usage Report in the Microsoft 365 admin center

Microsoft shipped a built-in EWS Usage Report in the Microsoft 365 admin center in 2025. It is the primary discovery source for 2026.

1. Sign in to the Microsoft 365 admin center at admin.microsoft.com.
2. Go to Reports → Usage.
3. Select the Exchange Web Services (EWS) usage report.
4. Review SOAP actions, active applications by name and AppID, call volume per application, and the user population making the calls.
5. Export the report for a documented snapshot before any remediation work begins.

The report's strength is that it identifies applications by AppID, which is the exact identifier you will need for the Allow List or for the migration ticket. Some operational characteristics matter for how you use it:

• The report currently supports 7-day, 30-day and 90-day filters in the Microsoft 365 admin center.
• Data is collected and aggregated weekly, not daily. The report does not reflect activity in real time; recent calls may not appear immediately in the report.
• The report is a starting point, not a full historical inventory. Applications active outside the 90-day window do not appear; applications configured but currently idle do not appear. Combine with the audit log, sign-in logs and app registration inventory to assemble a complete view.

Method 2 — Unified Audit Log: EwsAccess activity

The Unified Audit Log captures EWS access events under the activity name EwsAccess. The audit log's strength is granularity and time depth (retention depends on licensing; E5 / advanced auditing covers up to a year by default).

1. Sign in to the Microsoft Purview portal or the Microsoft 365 admin center.
2. Open Audit and search for the activity EwsAccess over the longest window your licence allows.
3. Group results by application name, AppID and source IP to identify the calling applications.
4. Pair with the EWS Usage Report — the audit log adds applications that have called EWS at any point in the retention window, even if they are quiet today.

Method 3 — Microsoft Entra ID sign-in logs filtered for EWS

Microsoft Entra ID sign-in logs record application authentications, including the resource the application is calling. Filtering for the EWS resource surfaces every application that authenticated to EWS in the log window.

1. Sign in to the Microsoft Entra admin center.
2. Go to Monitoring & health → Sign-in logs.
3. Apply filters for the resource that EWS uses (Office 365 Exchange Online) and review the application column.
4. Cross-reference application IDs against the EWS Usage Report and the audit log.

Method 4 — App registrations with EWS-relevant permissions

The final source is the static configuration: which applications in the tenant have been granted EWS-relevant permissions on the Office 365 Exchange Online service principal, regardless of whether they have called EWS recently. The right query is over assigned permissions, not over what the resource service principal exposes.

Connect-MgGraph -Scopes "Application.Read.All","Directory.Read.All","AppRoleAssignment.Read.All"

# Identify the Office 365 Exchange Online resource service principal
$exo = Get-MgServicePrincipal -Filter "displayName eq 'Office 365 Exchange Online'" |
       Select-Object -First 1

# Resolve the EWS app-only role IDs on the EXO resource SP
# (validate the EWS-relevant identifiers against Microsoft Learn before
# relying on the output as a complete classification)
$ewsAppRoleIds = $exo.AppRoles |
  Where-Object { $_.Value -in @("full_access_as_app") } |
  Select-Object -ExpandProperty Id

# Iterate over every client service principal in the tenant and check
# its app role assignments against the EXO resource SP and the EWS roles
$appOnlyGrants = foreach ($sp in Get-MgServicePrincipal -All) {
  Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $sp.Id -ErrorAction SilentlyContinue |
    Where-Object { $_.ResourceId -eq $exo.Id -and $ewsAppRoleIds -contains $_.AppRoleId } |
    Select-Object @{Name="ClientDisplayName";Expression={$sp.DisplayName}}, `
                  @{Name="ClientAppId";Expression={$sp.AppId}}, `
                  AppRoleId, ResourceDisplayName
}

# Apps granted EWS delegated permissions on the EXO resource
$delegatedGrants = Get-MgOauth2PermissionGrant -All |
  Where-Object {
    $_.ResourceId -eq $exo.Id -and
    ($_.Scope -split " " | Where-Object { $_ -eq "EWS.AccessAsUser.All" }).Count -gt 0
  } |
  Select-Object ClientId, ConsentType, Scope

# Output both sets
$appOnlyGrants
$delegatedGrants

The exact permission identifiers to look for on the Office 365 Exchange Online service principal are the EWS-relevant app role full_access_as_app (app-only access where EWS is the intended path) and the delegated scope EWS.AccessAsUser.All (delegated EWS access). Resolve the corresponding AppRoleId values and delegated Scope values on the EXO service principal, then enumerate per-client-SP app role assignments and OAuth2 permission grants where the resource is the EXO service principal. Combine the four methods to assemble a complete inventory.

Code-side discovery: EWS Analyzer and EWS-to-Graph mapping

The four methods above cover the runtime side of discovery: what is calling EWS in your tenant right now or recently. They do not cover the code side: repositories, scheduled tasks, and old binaries that may still contain EWS calls but have not run within the audit window. For a complete inventory, runtime discovery needs to be paired with code analysis.

Microsoft has published guidance and tooling to help with the code side. Specifically:

• EWS Analyzer — a Microsoft-provided tool that scans codebases for EWS usage and identifies migration targets. Useful for in-house repositories where the source code is available.
• EWS-to-Graph mapping guidance — Microsoft Learn documentation that maps common EWS operations to their Graph equivalents, with the gotchas called out per operation.
• AI-assisted code analysis and refactoring — Microsoft has published tutorials covering use of AI tooling to accelerate the EWS-to-Graph migration in source code, particularly for larger or older codebases where manual review is impractical.

The practical pattern: use the runtime methods for the inventory (who is calling, what AppID, how often), then use the code-side tooling for the migration work itself (what to change, in which file, with what Graph equivalent). The two halves of the discovery are complementary, not interchangeable.

Inventory output: the deliverable of the discovery phase

The discovery work converges into a single artefact: the EWS inventory. The structure below is the practical deliverable of the discovery phase. It is the document that is reviewed in change-control meetings, referenced when migration decisions are taken, and updated as items move from "Allow List" through to "migrated" and finally "decommissioned". Maintain it in a place under source control or shared documentation, not a personal spreadsheet on a single admin's machine.

Categorising what you find

An EWS inventory is rarely homogeneous. The applications calling EWS typically fall into one of five categories, each of which has a different migration path.

For each item in the inventory, capture: owner (someone in the organisation, not a vendor name), business criticality, migration vendor / version status, planned migration date, fallback (Allow List or accept service interruption), and the date the decision was last reviewed.

Microsoft Graph as the replacement: fit, gaps, exceptions

Microsoft Graph is the strategic replacement for most EWS scenarios, but not every EWS workload is a one-to-one migration. Some scenarios port directly to Graph with comparable or better APIs. Some require redesign because EWS exposed a model (impersonation, extended properties, streaming notifications) that Graph addresses differently. A few scenarios are genuinely thin in Graph coverage today and either need careful validation or a workaround.

Graph migration fit per scenario

Migration playbook per category

The migration work breaks into parallel tracks by category. Each track has its own ownership, its own validation criteria, and its own deadline.

Vendor SaaS (backup, archive, signature, meeting rooms)

The fastest path. The vendor has already shipped a Graph-based version; your work is to upgrade and re-validate. The migration ticket is: confirm the vendor supports Graph, confirm the version that does, plan the upgrade, validate against a pilot before tenant-wide cutover.

Mailbox migration tools

If a migration is in flight on the day EWS is blocked, the migration breaks. Check the tool's vendor for Graph-based migration support. Microsoft's own Cross-Tenant User Data Migration add-on (covered in a separate article in this blog) is the native path for tenant-to-tenant scenarios going forward.

Custom in-house apps

The slowest path because each app is bespoke. For each app, the migration is a small project: register an Entra ID app with the right Graph permissions, rewrite the calls (the Microsoft Graph SDKs cover most major languages), validate against the same test mailboxes the original was built against, then cut over.

Three patterns repeat for the in-house apps:

• It is no longer used. Confirm with the owner, document, and decommission. This is the cheapest outcome.
• It is simple and has a clear Graph equivalent. The script that reads mailboxes and sends a report can typically be ported in a day, sometimes faster. A junior developer with the Microsoft Graph PowerShell SDK can deliver this.
• It is complex, business-critical and the original author has left. This is the case where the Allow List buys time. Put the app on the Allow List, raise a project to migrate or replace it, then remove from the Allow List once the project lands.

Configuring the Allow List for continued access

The Allow List is the stopgap mechanism for apps that cannot be migrated before the 1 October 2026 default change. The configuration is via Exchange Online PowerShell at the time of writing. The conceptual flow is:

1. Connect to Exchange Online PowerShell.
2. Set the tenant-level EWSEnabled switch to True via Set-OrganizationConfig.
3. Configure the AppID Allow List with the application identifiers that should retain EWS access.
4. Verify the configuration with the corresponding Get-OrganizationConfig output.

Operational practices for the Allow List:

• Inventory the Allow List in source-controlled documentation. Each entry should record AppID, app display name, owner, the reason it is on the Allow List, the planned migration date and the date the entry was last reviewed.
• Review the Allow List monthly. Each entry should have a deadline; when the deadline arrives, the entry is either removed (because the migration landed) or has the deadline renewed with a documented reason.
• Treat additions as change-controlled. Adding an AppID grants meaningful access; it should not be a casual operation.

Pre-October 2026 validation checklist

The checklist below captures the highest-impact actions for the next eight weeks. Most of the work is discovery and decision-making; the technical configuration is a small fraction of the total effort.

• Run the EWS Usage Report in the Microsoft 365 admin center.Export the report for a documented snapshot. Capture SOAP actions, applications by AppID, call volume and user population.
• Query the Unified Audit Log for EwsAccess over the longest window your licence allows.Group by application name and AppID. Pair with the EWS Usage Report to catch applications that have been active in the retention window but are quiet today.
• Query Microsoft Entra sign-in logs filtered for the EWS resource.Filter for the Office 365 Exchange Online resource and review the calling applications. Cross-reference with the Usage Report and audit log.
• Inventory Entra ID app registrations with EWS-relevant permissions.Identify applications registered with EWS app roles or delegated scopes regardless of recent activity. Some apps may be configured but not currently calling.
• Build the consolidated inventory with owner per item.Merge the outputs of the four discovery methods. For each application, capture AppID, app display name, vendor or in-house, business owner, criticality, and current call volume.
• Categorise each item.Vendor backup/archive, mailbox migration, signature/template, meeting room, custom in-house. Categorisation determines the migration path.
• Contact each vendor for the Graph-based version status.Confirm the version that supports Graph, the upgrade path, prerequisites and known migration gotchas. Record the vendor reference number for the conversation.
• Triage custom in-house apps.For each: is it still in use? If not, plan decommission. If yes, identify the owner, estimate the migration effort, and assign it as a small project with a deadline before October 2026.
• Decide which apps need the Allow List.The Allow List is for apps that cannot reasonably migrate before 1 October 2026. Document the reason and the planned migration date for each Allow List entry.
• Configure EWSEnabled = True and populate the Allow List by end of August 2026.Validate cmdlet syntax against current Microsoft Learn. Verify the configuration with Get-OrganizationConfig. Capture the configuration in source-controlled tenant documentation.
• Validate that Allow-Listed apps still work after the 1 October change.Monitor the EWS Usage Report and the audit log in the first weeks of October to confirm Allow-Listed apps continue to call successfully and that nothing else is.
• Plan the migration of Allow-Listed apps before full shutdown.Each Allow List entry has a deadline. Track migrations in flight, remove entries as projects land, escalate if a deadline slips. The Allow List should be shrinking, not growing, until April 2027 when EWS is fully disabled.

Common mistakes

1. Treating the Allow List as a strategy.The Allow List buys time; it does not opt the tenant out of the retirement. Apps on the Allow List still need a migration plan that lands before the April 2027 full shutdown currently documented by Microsoft. Adding an app to the Allow List and walking away is deferring the same problem to next year.
2. Relying on one discovery method.The EWS Usage Report misses dormant apps. The audit log is bounded by retention. Sign-in logs miss the static configuration. App registration inventory misses the unauthenticated edge cases. Use all four, paired with code-side analysis for repositories and old binaries.
3. Assuming the vendor already migrated.Several major vendors have shipped Graph-based versions, but not every tenant is on the version that supports Graph. The vendor name on the inventory is not enough; confirm the version and the upgrade plan.
4. Forgetting Kiosk and Frontline Worker populations.Microsoft is blocking EWS access for users without licence rights from end of June 2026, including affected Kiosk / Frontline Worker scenarios where the assigned SKU does not include EWS rights. Tenants with kiosk-based workflows or frontline workforces may experience selective failures before the broader October change.
5. Confusing EWS retirement with Exchange Server retirement.The EWS retirement applies to Exchange Online only. Exchange Server on-premises is not affected at the time of writing. Hybrid tenants need to distinguish which side an EWS dependency runs against.
6. Underestimating the in-house app inventory.The hardest discoveries are the PowerShell script someone scheduled in 2017 and the ASP.NET app that lives on a server in the second data centre. The audit log catches them; the personal knowledge in the team often does not. Pair runtime discovery with code analysis tools like the EWS Analyzer for codebases under your control.
7. Migrating to Graph without scope rationalisation.EWS permission models were broad. Graph migrations are an opportunity to scope permissions tightly. Reusing the broad EWS permission shape in Graph is a missed security improvement.
8. Missing the August 2026 deadline.If the Allow List is not populated and EWSEnabled set to True by the end of August, Microsoft switches the tenant to EWSEnabled = False on 1 October. Every app then fails until the configuration is recovered. Plan ahead of the deadline, not after.

References & further reading