Update 12/15/2025: We modified the date of this change to end of June 2026 based on customer feedback. Please use that extra time to remove your dependencies on EWS.
As part of our ongoing efforts ...
Updated Dec 17, 2025
Version 4.0
Blog Post
Yesterday afternoon / evening German time (UTC+1) our Exchange Online backup jobs reported failure for about 10 mailboxes across 3 different tenants (the rest of the 1500 mailboxes in those 3 tenants were okay and this didn't happen in the 5 other tenants we are responsible for). We realized that Get-CASMailbox -ResultSize unlimited | Where-Object {$_.EwsEnabled -ne $blank -and $_.EwsEnabled -ne $true} delivered excatly the mailboxes where the backup failed with 403 forbidden (The HTTP request was forbidden with client authentication scheme 'Anonymous'.) as described in the following Veeam KB article. After set-casmailbox -ewsenabled $true backup has been confirmed to return to normal for 3 mailboxes in one of the three tenants. The 10 mailboxes affected were mostly full on licenses like O365E1 or EXOP1. This behaviour cannot be explained by any announced changes of Microsoft, can it?
https://www.veeam.com/kb4796
Greg Taylor - EXCHANGE
Microsoft
MicrosoftWe fixed a bug, and you correctly rectified it. Bottom line is, if the tenant wants to use EWS, the tenant wide flag needs to be Null or True, and if users want to use EWS, they should not have EWS set to false. The way to control EWS usage in Exchange Online is changing | Microsoft Community Hub