A recent post revealed that the Mailbox Import-Export Graph API doesn’t capture audit events for its operations. The API is in beta, but this is disappointing. Auditing any mailbox is important, but it becomes a critical requirement when the possibility exists that attackers could use the API to exfiltrate mailbox data outside of the tenant. This is a hole that Microsoft needs to close.
Some new Graph APIs were announced on April 1 to close a feature gap with EWS. The new APIs permanently remove mailbox items and other objects, including folders, calendars, and calendar items. Permanent deletion means that items cannot be recovered through clients because they end up in the Purges folder in Recoverable Items. This article explains how the new APIs work, including a practical example.
Microsoft will retire Exchange Web Services (EWS) from Exchange Online on October 1, 2026. A new usage report helps tenants understand what apps use EWS. Many of the apps are likely to be first-party (Microsoft) apps, but some might be third-party apps developed externally or internally. Those apps need to be retired or upgraded to use Graph APIs. Time is slipping away to do the work.
Exchange Web Services (EWS) will retire in October 2026. Tenants that still need to use EWS must explicitly set EWSEnabled to true in the organization configuration. If they don’t, the previous rule that allows mailboxes enabled for EWS to function won’t work. The change is part of the preparation for the phase-out of EWS. To help, we’ve written a script to send email to administrators listing accounts still enabled for EWS.
In a November 18 post, Microsoft describes some Exchange Online security updates that are due to land between now and 2026. Some of the news is a restatement of previously announced information, like the deprecation of EWS in October 2026. New information includes some information about feature caps that the Graph APIs cannot close when EWS goes away. And then there’s a hint about the demise of public folders (again!)
On September 19, 2023 Microsoft announced their intention to retire the Exchange Web Services API on 1 October 2026. The suggested replacement is the Microsoft Graph API. Microsoft acknowledges that some gaps exist that they need to close before EWS retirement happens, but one big issue they didn’t discuss is what happens to the backup products that currently use EWS to backup Exchange Online.
In a July 12 announcement, Microsoft says that they will restrict the use of Exchange Web Services to access Teams message data from September 30. Microsoft wants customers to use the Teams Export API instead. All that’s fine, but it means that customers have to change their Teams backup product to one that uses the new API – and they’ll be charged for the privilege of using the Export API.
A Microsoft October 5 announcement gives a clear signal that Exchange Web Services is on a short runway to oblivion. The first step is the removal of 25 APIs on March 31, 2022. It’s all part of the master plan to get Office 365 tenants and ISVs to move to the Microsoft Graph APIs. This is a perfectly laudable ambition but it’s complicated because of the lack of suitable Graph APIs to handle the volume of Exchange data involved in scenarios like backup/restore and migration. Teams has a new Graph Export API, but it introduces consumption metering and charging. Is a new Exchange API coming and will it use the same charging mechanism? We live in interesting times…
Microsoft wants to remove basic authentication from Exchange Online connection protocols. But pressures have forced Microsoft into a new strategy and away from the mid-2021 date for deprecation of basic authentication for five protocols. Instead, Microsoft will disable basic authentication for protocols where it’s not used, include four addition protocols in its target set, and pause action for tenants where basic authentication is in active use. When they restart, Microsoft will give tenants 12 months’ notice that basic authentication will be blocked for a protocol. You can argue that Microsoft should have pressed ahead with their original plan, but would widespread disruption of service be worth the benefit gained from blocking vulnerable protocols? Balancing risk versus reward is often not easy.
Many migration projects use Exchange Web Services (EWS) to move data to Exchange Online. EWS is using throttled to preserve resources. Here’s how to lift the restrictions for up to 90 days, all without going near a support call.
Microsoft has announced that basic authentication for multiple email connection protocols won’t be supported after October 13, 2020. You won’t be able to connect with EWS, EAS, IMAP4, POP3, or Remote PowerShell unless you use modern authentication. There’s just over a year to prepare, but there’s some work to be done.