Update 6/11/2026: We modified the date of this change to October 1, 2026 based on customer feedback. Please use that extra time to remove your dependencies on EWS.
As part of our ongoing efforts to...
Updated Jun 11, 2026
Version 5.0
Blog Post
Yesterday afternoon / evening German time (UTC+1) our Exchange Online backup jobs reported failure for about 10 mailboxes across 3 different tenants (the rest of the 1500 mailboxes in those 3 tenants were okay and this didn't happen in the 5 other tenants we are responsible for). We realized that Get-CASMailbox -ResultSize unlimited | Where-Object {$_.EwsEnabled -ne $blank -and $_.EwsEnabled -ne $true} delivered excatly the mailboxes where the backup failed with 403 forbidden (The HTTP request was forbidden with client authentication scheme 'Anonymous'.) as described in the following Veeam KB article. After set-casmailbox -ewsenabled $true backup has been confirmed to return to normal for 3 mailboxes in one of the three tenants. The 10 mailboxes affected were mostly full on licenses like O365E1 or EXOP1. This behaviour cannot be explained by any announced changes of Microsoft, can it?
https://www.veeam.com/kb4796
Greg Taylor - EXCHANGE
Microsoft
MicrosoftWe fixed a bug, and you correctly rectified it. Bottom line is, if the tenant wants to use EWS, the tenant wide flag needs to be Null or True, and if users want to use EWS, they should not have EWS set to false. The way to control EWS usage in Exchange Online is changing | Microsoft Community Hub
It looks like Microsoft has disabled EWS in many tenants for F and Kiosk licenses ahead of their announced date.
- Greg Taylor - EXCHANGE
No, we have not Gary. What makes you say that?
Greg Taylor - EXCHANGE​ I found out that the tenant set for EWS must be "true" and NOT "null" in order to access Kiosk license.
This doesn't line up with the official statement.
Can you please shade a bit of light on this?
