Upcoming changes to Exchange Web Services (EWS) API for Office 365

Published 07-03-2018 12:28 PM 239K Views

Note - added July 24 2020: Please note the dates below have changed. The retirement of Basic Auth for EWS is no longer October 13th 2020, but instead is now tied to the larger Basic Auth retirement plan discussed here


Over the last few years, we have been investing in services that help developers access information in Office 365 in a simple and intuitive way, specifically through Microsoft Graph.  Microsoft Graph and the use of OAuth 2.0 provide increased security and seamless integration with other Microsoft cloud services and is rapidly expanding developer access to the rich data sets behind Microsoft applications.   As we make progress on this journey, we have continued to evaluate the role of Exchange Web Services (EWS). Today we are sharing our plans to move away from Basic Authentication access for EWS over the next two years, with support ending Oct. 13, 2020.   

These plans apply only to the cloud-based Office 365/Exchange Online products; there are no changes to EWS capabilities of on-premises Exchange products. 

Exchange Web Services will not receive feature updates 

Starting today, Exchange Web Services (EWS) will no longer receive feature updates. While the service will continue to receive security updates and certain non-security updates, product design and features will remain unchanged. This change also applies to the EWS SDKs for Java and .NET as well.  While we are no longer actively investing in it, EWS will still be available and supported for use in production environments.  However, we strongly suggest migrating to Microsoft Graph to access Exchange Online data and gain access to the latest features and functionality. For more information and details on how to make the transition, please refer to the following articles: 

While EWS and Graph have mostly overlapping functionality, there are some differences. If you rely on an EWS API that does not have a Graph counterpart, please let us know via UserVoice of features needed for your app scenarios.   

Basic Authentication for EWS will be decommissioned 

Exchange Web Services (EWS) was launched with support for Basic Authentication. Over time, we've introduced OAuth 2.0 for authentication and authorization, which is a more secure and reliable way than Basic Authentication to access data. Please refer to the following article for more information:  Getting started with OAuth2 for Microsoft Graph  Today, we are announcing that on October 13th, 2020 we will stop supporting and fully decommission the Basic Authentication for EWS to access Exchange Online. This means that new or existing apps will not be able to use Basic Authentication when connecting to Exchange using EWS.  

Next Steps 

The deprecation of these APIs follows our service deprecation policies. We understand changes like this may cause some inconvenience, but we are confident it will ensure more secure, reliable, and performant experiences for our customers.  We're here to help if you need it. If you have questions, please let us know in Stack Overflow with the [MicrosoftGraph] tag.  Thank you in advance for updating and opening your apps to a wider range of useful and intelligent features on Microsoft Graph. We are extremely excited about the growing opportunities that Microsoft Graph offers to our customers, and we remain fully committed to continue our journey to empower developers to access Office 365 data with the most modern features and tools. 

Frequently Asked Questions  

Q: Will my application stop working when you make this change? 

A: It might, yes, it depends on the app itself and how it was coded. If it’s using EWS, and if it’s using Basic authentication then yes, on October 13th 2020 it will fail to connect. However, if the app is using Modern Auth/OAuth, then no, it will keep working as it did before.  

Q: Why October 13th 2020? Why that date? 

A: Starting October 13, 2020, Office 365 ProPlus or Office perpetual in mainstream support will be required to connect to Office 365 services. This announcement is posted here Office 365 ProPlus Updates  This change requires that Office 2013/Office 2016 are also required to use Modern Auth. Please see this.

Q: Our in-house team created an app for meeting room scheduling, how do we go about changing that over to Graph and OAuth2.0?  

A: Don’t forget you can keep using EWS if you want to, so then really, it’s just the question of authentication. To get a better understanding of how to use OAuth 2.0 take a look here.

Q: How does this impact my On-Premises Exchange deployment? 

A: It does not. This change only affects Exchange Online.  

Q: We require Modern Authentication + Multi Factor Auth for all our Outlook users connecting to O365, how do apps work when I have that set as a requirement? 

A: Applications can be written so they are treated as ‘trusted applications’. That way they can bypass the MFA requirement, more details are here.

Q: How do I know which of my apps use Basic authentication to EWS? 

A: If you only use Outlook to connect to Exchange Online then you don’t need to worry, as long as you are using Office 2019 or Office 2019 Pro Plus you’ll be fine come October 2020. However, if you also have integrated apps into your Office 365 tenant you’ll need to check with the application developers to verify how it authenticates to Exchange Online if you aren’t’ sure. We are investigating how we can share this information with tenant admins, but have nothing available at the time of writing this blog.  

Q: What features does EWS have that Graph can’t provide? 

A: Graph is constantly evolving and adding features and functionality to provide the richest set of experiences we can. To see the latest features we’ve added to Graph, go here Overview of Outlook mail API on Microsoft Graph 

Q: Will this affect my Exchange Hybrid configuration? Exchange On-Premises calls into Exchange Online using EWS doesn’t it? 

A: Yes, it does. But it doesn’t use Basic Authentication, it uses token-based authentication, and it’s described in this blog post. How Hybrid Authentication Really Works

The Exchange Team

Not applicable
Thank you for the post!
Occasional Visitor
Currently, accessing our O365 mail accounts via EWS is dirt simple (and we have a federated, government domain and in five {5} lines of code, we bind to what we want) : $Service = [Microsoft.Exchange.WebServices.Data.ExchangeService]::new([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2013_SP1) $Service.Credentials = [System.Net.NetworkCredential]::new($UserName, $Password, $Domain) $Service.Url = "https://outlook.office365.com/EWS/Exchange.asmx" $Folderid = new-object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Tasks, $mailbox) $Folder = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($Service, $Folderid) The users simply give whatever permissions they want to our service account in their native Outlook clients through their normal method of sharing, and poof - we have mail, calendar and task access - all controlled by the email user. So........are there any EXAMPLES that "translate" the dirt simple approach above into an OAUTH2 approach?

I received a reminder from Microsoft office 365 message center about this and it referenced:

"Beginning October 13, 2020, we will retire Basic Authentication for EWS, EAS, IMAP, POP and RPS to access Exchange Online. Note: this change does not impact SMTP AUTH"


So does this mean that all mobile clients and desktop clients will be forced to use one of these clients?

  • Outlook 2013 (with reg keys to enable Modern Auth)

  • Outlook 2016 for Mac or later

  • Outlook for iOS and Android

  • Mail for iOS 11.3.1 or later

  • Outlook Web
  • Outlook 2016 and/or Outlook 2019

Will any other clients function or are any on the list above susceptible of not functioning after Basic Auth is disabled?


Occasional Visitor

We have some low use employees who only use Google Chrome/Safari to check basic email and calendar information while away from work (without the Android or iOS Outlook apps).

Are these users/accounts impacted by these changes as well?

Occasional Visitor
I have also received a notification, ios version 12.4 still uses "exchange" to receive mail, I feel the "outlook" on ios is not very optimal .

This is another garbage decision that is hostile to customers while providing only modest increases to the massive plague of security issues that haunt O365.


All of that time spent deprecating SSL and flawed versions of TLS just to ultimately cancel basic auth altogether. What a boneheaded sense of misdirection that causes customers grief and a never ending churn of updates that provide nearly zero value for many use cases.


I keep wondering what the world will be like for O365 customers who choose to host their email somewhere else. Sadly it seems the answer to that question is growing more important every day.


Does this mean that App Passwords will no longer be usable on native Android mail / contacts / calendar app? 


If so, please make sure Outlook for Android can do complete, automatic, in the background, two-way sync with our contacts stored on Exchange Online, similar to the way it works with Outlook 2016/2019 for Windows Desktop. 


It is vital that we be able to update contacts on our mobile devices and have them sync to the cloud reliably and transparently, and that contacts modified on other mobile or desktop devices update on all devices.

Occasional Visitor



Will this changes affects plug-ins developed for Outlook windows application accessing Office 365 accounts? Thanks.


 @Steven Seligman  had a good question. What happens with App Passwords and MFA users.  Will they not be able to use Outlook Desktop?  Kind of sounds like it.  I've got to be missing something.  




"Blocking Basic authentication will block app passwords in Exchange Online."

Occasional Visitor

We have a 3rd party system which connects through anonymous smtp (no login credentials) to exchange online. will this be also not working after this change?

Occasional Visitor

We have a small program using CDO library.


Are the programs using CDO going to be affected?

Senior Member

Does this affect the "Exchange Reporting Services" a.k.a "Office 365 Reporting web service"



If so, is there a new API that enables the functionality of message-trace and the other very useful reports?

Or, will these APIs now support OAuth2.0 authentication?




Occasional Visitor

Currently we are using EWS API with basic authentication to automate CRUD activities for outlook tasks and calendar items. NOT outlook mail (sending/retrieving messages/mails etc.)

Looking at the notice where the basic authentication will stop working by October 2020, i have started to explore the alternative which is moving to Microsoft Graph API.

But i noticed, there is not yet CRUD for tasks and calendar items under Outlook Mail.

I found the below while googling but seems is not working.

POST https://graph.microsoft.com/beta/me/outlook/tasks POST https://graph.microsoft.com/v1.0/me/events

My question is, will the EWS with basic authentication affect the Outlook tasks and calendar events as well?

Why i don't see them in the Graph API explorer? they should be under Outlook Mail

I appreciate if you guys can give me insight

Super Contributor

We've moved a large business process that manages thousands of events off the EWS API to Graph and you can definitely do CRUD operations against a user's calendar (or a group) using the Graph. 




Tasks were out of scope for us but my recall is that the options in the Graph were focused on Planner and To-Do action.

Occasional Visitor

Thanks Geoffrey for your response.


But i was wondering if the coming deprecation of basic authentication will affect  user's calendar and Tasks using EWS ?


Thanks again.

Occasional Visitor

hi @Geoffrey Bronner ,


Yes, i have tried the Graph API and it worked. It was permission issue.


But the calendar/tasks is still in beta. Also i noticed there are few properties are missing.


1- Priority
2- % complete
3- Reminder (minutes)
5- Total work
6- Actual work
7- Mileage
8- Billing
9- Companies


Are those properties being worked out and should be in V1 soon?



Senior Member


Does this affect the "Exchange Reporting Services" a.k.a "Office 365 Reporting web service"



If so, is there a new API that enables the functionality of message-trace and the other very useful reports?

Or, will these APIs now support OAuth2.0 authentication?

we really need a response on this one. this is business critical for us, and from the blog post it is unclear.




Regular Visitor

Is it possible to disable basic authentication earlier, e.g. through the GPO or changes in the registry?
We are preparing to implement o365 and we wanted to check the security features during testing

@Maciej_Jerenkiewicz Preferred would be to block Basic Auth (or legacy authentication) at the back-end; to accomplish this:


New Contributor

Announced 10 days ago - "

In response to the unprecedented situation we are in and knowing that priorities have changed for many of our customers we have decided to postpone retiring Basic Authentication in Exchange Online (MC204828) for those tenants still actively using it until the second half of 2021. We will provide a more precise date when we have a better understanding of the impact of the situation.


How does this affect me?


We will continue to disable Basic Authentication for newly created tenants by default and begin to disable Basic Authentication in tenants that have no recorded usage starting October 2020. And of course you can start blocking legacy authentication today, you don’t need us to do anything if you want to get started (and you should).

We will also continue to complete the roll-out of OAuth support for POP, IMAP, SMTP AUTH and Remote PowerShell and continue to improve our reporting capabilities. We will publish more details on these as we make progress.


What do I need to do to prepare?


This change allows you more time to update clients, applications and services that are using Basic Authentication to use Modern Authentication."

Occasional Visitor

Does this affect the "Office 365 Reporting web service"



If so, is there a new API that enables the functionality of message-trace and the other very useful reports?

Or, will these APIs now support OAuth2.0 authentication?

Version history
Last update:
‎Jul 24 2020 12:19 AM