As we continue to improve the user experience and security in Exchange Online, we’re introducing a significant update to the EWSEnabled tenant-wide switch. This change, set to roll out globally from April 1, 2025, will affect how organizations manage Exchange Web Services (EWS) access.
Understanding the Upcoming Changes
Currently, the EWSEnabled flag offers flexibility in managing EWS access at both the organization and user levels. In its existing form, if the flag is set to true at the user level, it overrides the organization-level setting, allowing requests even if the organizational setting is false. This hierarchical model sometimes makes it challenging for administrators, especially in large entities, to maintain consistent policy application. Here’s how it currently works:
| Organization Level | User Level | EWS Requests |
|---|---|---|
| True or |
True or |
Allowed |
| True or |
False | Not Allowed |
| False | True | Allowed |
| False | False or |
Not Allowed |
However, we’re refining this behavior to facilitate more uniform policy enforcement.
New Policy Implementation
The updated behavior will require both the organization and user-level EWSEnabled flags to be true for EWS requests to be allowed. This new approach empowers administrators with greater control, simplifying the task of enforcing consistent policies:
| Organization Level | User Level | EWS Requests |
|---|---|---|
| True or |
True or |
Allowed |
| True or |
False | Not Allowed |
| False | True or |
Not Allowed |
| False | False | Not Allowed |
In essence, the change ensures EWS is accessible only when explicitly permitted at both levels, enhancing the security and reliability of your organization’s communications.
What You Need to Do
To prepare for this update, ensure your per-user and tenant-wide settings align with your intended EWS usage policies. For a deeper understanding and further guidance, refer to our full blog post.
Stay ahead by reviewing and adjusting your organization’s settings before the change is implemented.