Exchange Web Services (EWS) have been an integral part of Exchange since Exchange Server 2007. They are used not only by Exchange Server and Exchange Online for communication between Exchange Servers and as part of hybrid communication. Email clients also use web services. EWS is a SOAP-based API, but in the meantime, there are more modern protocols. Back in 2018, the Exchange product group announced that there would be no further development for the EWS protocol in Exchange Online. Indirectly, the EWS Managed API README-file on GitHub contains an announcement for Exchange Server.
Microsoft Graph will replace EWS access to Exchange Online, and a Microsoft Developer blog post back in the summer of 2018 announced this upcoming change. In this context, both Exchange and Microsoft Graph product groups have pointed out the approaching end of Basic Authentication support for EWS in Exchange Online.
Complete decommissioning of Exchange Web Services in Exchange Online is no easy feat. Since many email clients and other software products use EWS API access, decommissioning is done in phases.
Discontinuation of EWS features for Exchange Online
In the first step, the changes to the EWS interface mainly affect partners who develop software solutions for Exchange Online. These partners have already known since 2018 that there will be changes.
The Exchange PG will start to decommission API functions that are rarely or never used. This applies particularly to unified messaging functions that are now no longer implemented by Exchange Online and other functionally that are now part of different APIs. Each API interface also represents a potential security risk. Thus, the reduction of the EWS API automatically leads to a reduction of the attack surface of Exchange Online.
As of September 2022, the following EWS APIs will be shut down:
For some of these API functions, you can find information in the outdated EWS XML documentation. The XML documentation received its last update in 2015.
If you have developed a software solution for Exchange Online and want to ensure its functionality in the future, you need to modify your code to use Microsoft Graph. This requirement applies to server-based software solutions and modern Outlook add-ins that need to interact with Exchange Online.
Where to start?
The online documentation for Exchange Online provides you with different starting points to familiarize yourself with the Microsoft Graph API for Exchange Online and the REST API for the on-premises Exchange organization.
- Microsoft Graph REST APIs for mail, calendars, and contacts
- Overview of Microsoft Graph
- On-Premises Architectural Requirements for the REST API
The discontinuation of the EWS API does not come as a surprise, and it is part of the catalog of measures to reduce the attack surface of the Exchange Online cloud service. The disabling of Basic Authentication is another part of these measures. It is essential to consider EWS API and Basic Auth changes in your architectural plans for developing and maintaining a software solution. Using Microsoft Graph also means switching to modern authentication.
The feature reduction of Exchange Web Services in Exchange Online directly impacts the email clients supported by Exchange Online. So the changes announced for 2022 don't just affect software developers. To continue to provide your users with a functioning email client, you need to address the lifecycle of the supported email clients.
- Upcoming API Deprecations in Exchange Web Services for Exchange Online (2021)
- Upcoming changes to Exchange Web Services (EWS) API for Office 365 (2018, Exchange PG)
- EWS Managed API - GitHub
- Upcoming changes to Exchange Web Services (EWS) API for Office 365 (2018, Microsoft Graph PG)
- Explore the EWS Managed API, EWS, and web services in Exchange
- Clients and mobile in Exchange Online
Exchange Hybrid and Office 365 Monitoring and Reporting
On-premises components, such as AD FS, PTA, and Exchange Hybrid are critical for Office 365 end user experience. In addition, something as trivial as expiring Exchange or AD FS certificates can certainly lead to unexpected outages. By proactively monitoring hybrid components, ENow gives you early warnings where hybrid components are reaching a critical state, or even for an upcoming expiring certificate. Knowing immediately when a problem happens, where the fault lies, and why the issue has occurred, ensures that any outages are detected and solved as quickly as possible.