Exchange Web Services is going away: why your tools could break in October 2026

The Exchange Web Services retirement most SMBs never saw coming

Microsoft will start disabling Exchange Web Services (EWS) in Exchange Online as early as October 2026, with full disablement in April 2027. For a Québec SMB, the problem isn't the API itself — few people know what EWS even is — it's everything quietly built on top of it: the mailbox backup tool, the company email-signature solution, legal archiving, certain CRMs, in-house line-of-business connectors. The day EWS goes dark, those tools stop working, often with no clear error message.

This is exactly the kind of deadline that slips under the radar: nothing pops up for the end user, nothing breaks until the date hits, and the countdown is already running. Microsoft confirmed the EWS retirement timeline back in 2023, then accelerated it after the Midnight Blizzard security incident of January 2024, which abused EWS directly. So this is as much a Modern Work file as it is a cybersecurity one.

What EWS is — and why Microsoft is pulling the plug

EWS is a programming interface launched in 2007 that lets an application read from and write to Exchange mailboxes: email, calendars, contacts, tasks. For fifteen years, most third-party tools that touch messaging went through it. Microsoft announced back in 2018 that EWS would receive no further feature updates — a clear signal the technology was end-of-life.

The reason for the retirement is, above all, security. EWS relies on older authentication models that are harder to protect than modern authentication. The Midnight Blizzard incident showed that a nation-state attacker could abuse EWS to reach mailboxes, which widened the scope of the retirement: not only third-party applications, but Microsoft's own products (Outlook, Office, Teams, Dynamics 365) are being moved off EWS too. The designated successor is Microsoft Graph, the unified, modern API of the Microsoft 365 ecosystem, built on Entra ID authentication and least-privilege access.

The timeline that matters

Three dates frame the decision, and they point to a single conclusion: there's no room left to wait.

• October 2026: Microsoft begins disabling EWS globally, tenant by tenant.
• April 2027: EWS is fully disabled. No application will be able to use it.
• Today already: admins can disable EWS manually at the organization or user level — handy for testing the impact in a controlled way before the forced cut-off (a "scream test": you turn it off and see what screams).

What will break in your environment

The real work isn't the date — it's the inventory. In the estates we audit at io4, EWS almost always hides in four places:

• Mailbox backup and archiving: several M365 backup and legal-archiving solutions read mailboxes via EWS. Archiving that stops silently is a direct Law 25 compliance risk.
• Company signatures and marketing tools: signature managers and email platforms rely on EWS to inject into Exchange.
• Line-of-business apps and in-house connectors: internal PowerShell scripts, CRM/ERP integrations, document management, custom-built booking tools.
• Old clients and devices: "scan-to-email" multifunction printers, legacy calendar or meeting-room booking apps.

Inventory first: the Microsoft tools to see clearly

Microsoft provides a valuable starting point for this inventory: the EWS Usage Reports in the Microsoft 365 admin center, which reveal which applications still call EWS in your tenant, plus a code-analysis tool (EWS Analyzer) for internal development. Visibility is where to start — the same reflex as for security or cloud costs: you only fix well what you've first measured.

Moving to Microsoft Graph without breaking things

For most common scenarios, Microsoft Graph already offers the EWS equivalent, with documented mappings between EWS operations and Graph APIs. The benefit goes beyond simply meeting the deadline: Graph brings modern Entra ID authentication, granular permissions (an application accesses only what it strictly needs), and a reduced attack surface. In other words, moving off EWS also hardens your security posture.

A few grey areas remain: some advanced functions (mailbox import/export, public folders, archives, certain administration APIs) aren't yet at full parity on Graph and are shipping progressively. For an SMB, these cases stay marginal, but they reinforce the rule: audit early to spot a possible uncovered scenario and adapt the plan, rather than discovering it in October 2026.

The approach we recommend has four steps: inventory EWS dependencies via the Microsoft reports, press your third-party vendors for their migration roadmap (a serious vendor already has one), migrate or replace your internal development to Graph, and validate with a controlled disablement test before the forced cut-off.

Bottom line: do the inventory now, not in September 2026

EWS retirement isn't a distant developer topic: it's a concrete operational risk for any organization on Exchange Online, with a hard deadline. Companies that do their inventory this quarter have time to negotiate with their vendors and stagger the migration; those who wait will discover the outage when backup or signatures stop working — and by then it's too late to plan calmly.

If you want to know what, in your tenant, still depends on Exchange Web Services, talk to an io4 expert. We run the dependency inventory, the coordination with your vendors, and the migration to Microsoft Graph with the same method we use across the rest of your Microsoft environment: visibility first, decisions second.