cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Upcoming changes to Exchange Web Services (EWS) API for Office 365
By
The_Exchange_Team
Published Jul 03 2018 12:28 PM 523K Views
The_Exchange_Team
Microsoft
‎Jul 03 2018 12:28 PM

Upcoming changes to Exchange Web Services (EWS) API for Office 365

‎Jul 03 2018 12:28 PM

Update: For latest information related to basic authentication in Exchange Online, please see Basic Authentication and Exchange Online – September 2022 Update.

Over the last few years, we have been investing in services that help developers access information in Office 365 in a simple and intuitive way, specifically through Microsoft Graph.  Microsoft Graph and the use of OAuth 2.0 provide increased security and seamless integration with other Microsoft cloud services and is rapidly expanding developer access to the rich data sets behind Microsoft applications.   As we make progress on this journey, we have continued to evaluate the role of Exchange Web Services (EWS). Today we are sharing our plans to move away from Basic Authentication access for EWS over the next two years, with support ending Oct. 13, 2020.   

These plans apply only to the cloud-based Office 365/Exchange Online products; there are no changes to EWS capabilities of on-premises Exchange products. 

Exchange Web Services will not receive feature updates 

Starting today, Exchange Web Services (EWS) will no longer receive feature updates. While the service will continue to receive security updates and certain non-security updates, product design and features will remain unchanged. This change also applies to the EWS SDKs for Java and .NET as well.  While we are no longer actively investing in it, EWS will still be available and supported for use in production environments.  However, we strongly suggest migrating to Microsoft Graph to access Exchange Online data and gain access to the latest features and functionality. For more information and details on how to make the transition, please refer to the following articles: 

While EWS and Graph have mostly overlapping functionality, there are some differences. If you rely on an EWS API that does not have a Graph counterpart, please let us know via UserVoice of features needed for your app scenarios.   

Basic Authentication for EWS will be decommissioned 

Exchange Web Services (EWS) was launched with support for Basic Authentication. Over time, we've introduced OAuth 2.0 for authentication and authorization, which is a more secure and reliable way than Basic Authentication to access data. Please refer to the following article for more information:  Getting started with OAuth2 for Microsoft Graph  Today, we are announcing that on October 13th, 2020 we will stop supporting and fully decommission the Basic Authentication for EWS to access Exchange Online. This means that new or existing apps will not be able to use Basic Authentication when connecting to Exchange using EWS.  

Next Steps 

The deprecation of these APIs follows our service deprecation policies. We understand changes like this may cause some inconvenience, but we are confident it will ensure more secure, reliable, and performant experiences for our customers.  We're here to help if you need it. If you have questions, please let us know in Stack Overflow with the [MicrosoftGraph] tag.  Thank you in advance for updating and opening your apps to a wider range of useful and intelligent features on Microsoft Graph. We are extremely excited about the growing opportunities that Microsoft Graph offers to our customers, and we remain fully committed to continue our journey to empower developers to access Office 365 data with the most modern features and tools. 

Frequently Asked Questions  

Q: Will my application stop working when you make this change? 

A: It might, yes, it depends on the app itself and how it was coded. If it’s using EWS, and if it’s using Basic authentication then yes, on October 13th 2020 it will fail to connect. However, if the app is using Modern Auth/OAuth, then no, it will keep working as it did before.  

Q: Why October 13th 2020? Why that date? 

A: Starting October 13, 2020, Office 365 ProPlus or Office perpetual in mainstream support will be required to connect to Office 365 services. This announcement is posted here Office 365 ProPlus Updates  This change requires that Office 2013/Office 2016 are also required to use Modern Auth. Please see this.

Q: Our in-house team created an app for meeting room scheduling, how do we go about changing that over to Graph and OAuth2.0?  

A: Don’t forget you can keep using EWS if you want to, so then really, it’s just the question of authentication. To get a better understanding of how to use OAuth 2.0 take a look here.

Q: How does this impact my On-Premises Exchange deployment? 

A: It does not. This change only affects Exchange Online.  

Q: We require Modern Authentication + Multi Factor Auth for all our Outlook users connecting to O365, how do apps work when I have that set as a requirement? 

A: Applications can be written so they are treated as ‘trusted applications’. That way they can bypass the MFA requirement, more details are here.

Q: How do I know which of my apps use Basic authentication to EWS? 

A: If you only use Outlook to connect to Exchange Online then you don’t need to worry, as long as you are using Office 2019 or Office 2019 Pro Plus you’ll be fine come October 2020. However, if you also have integrated apps into your Office 365 tenant you’ll need to check with the application developers to verify how it authenticates to Exchange Online if you aren’t’ sure. We are investigating how we can share this information with tenant admins, but have nothing available at the time of writing this blog.  

Q: What features does EWS have that Graph can’t provide? 

A: Graph is constantly evolving and adding features and functionality to provide the richest set of experiences we can. To see the latest features we’ve added to Graph, go here Overview of Outlook mail API on Microsoft Graph 

Q: Will this affect my Exchange Hybrid configuration? Exchange On-Premises calls into Exchange Online using EWS doesn’t it? 

A: Yes, it does. But it doesn’t use Basic Authentication, it uses token-based authentication, and it’s described in this blog post. How Hybrid Authentication Really Works

The Exchange Team

23 Comments
Not applicable
‎Jul 25 2018 01:24 PM
‎Jul 25 2018 01:24 PM
Thank you for the post!
0 Likes
Like
vmcavmcavmca
Copper Contributor
‎Jul 15 2019 03:18 PM
‎Jul 15 2019 03:18 PM
Currently, accessing our O365 mail accounts via EWS is dirt simple (and we have a federated, government domain and in five {5} lines of code, we bind to what we want) : $Service = [Microsoft.Exchange.WebServices.Data.ExchangeService]::new([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2013_SP1) $Service.Credentials = [System.Net.NetworkCredential]::new($UserName, $Password, $Domain) $Service.Url = "https://outlook.office365.com/EWS/Exchange.asmx" $Folderid = new-object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Tasks, $mailbox) $Folder = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($Service, $Folderid) The users simply give whatever permissions they want to our service account in their native Outlook clients through their normal method of sharing, and poof - we have mail, calendar and task access - all controlled by the email user. So........are there any EXAMPLES that "translate" the dirt simple approach above into an OAUTH2 approach?
Omar Droubi
Copper Contributor
‎Sep 20 2019 02:58 PM
‎Sep 20 2019 02:58 PM

I received a reminder from Microsoft office 365 message center about this and it referenced:

"Beginning October 13, 2020, we will retire Basic Authentication for EWS, EAS, IMAP, POP and RPS to access Exchange Online. Note: this change does not impact SMTP AUTH"

 

So does this mean that all mobile clients and desktop clients will be forced to use one of these clients?

  • Outlook 2013 (with reg keys to enable Modern Auth)

  • Outlook 2016 for Mac or later

  • Outlook for iOS and Android

  • Mail for iOS 11.3.1 or later

  • Outlook Web
  • Outlook 2016 and/or Outlook 2019

Will any other clients function or are any on the list above susceptible of not functioning after Basic Auth is disabled?

Thanks

Rastor728
Copper Contributor
‎Sep 20 2019 03:14 PM
‎Sep 20 2019 03:14 PM

We have some low use employees who only use Google Chrome/Safari to check basic email and calendar information while away from work (without the Android or iOS Outlook apps).

Are these users/accounts impacted by these changes as well?

hang_quang_vinh
Copper Contributor
‎Sep 20 2019 03:53 PM
‎Sep 20 2019 03:53 PM
I have also received a notification, ios version 12.4 still uses "exchange" to receive mail, I feel the "outlook" on ios is not very optimal .
brandonkirsch
Copper Contributor
‎Sep 20 2019 10:05 PM
‎Sep 20 2019 10:05 PM

This is another garbage decision that is hostile to customers while providing only modest increases to the massive plague of security issues that haunt O365.

 

All of that time spent deprecating SSL and flawed versions of TLS just to ultimately cancel basic auth altogether. What a boneheaded sense of misdirection that causes customers grief and a never ending churn of updates that provide nearly zero value for many use cases.

 

I keep wondering what the world will be like for O365 customers who choose to host their email somewhere else. Sadly it seems the answer to that question is growing more important every day.

Steven Seligman
Iron Contributor
‎Sep 21 2019 09:14 AM
‎Sep 21 2019 09:14 AM

Does this mean that App Passwords will no longer be usable on native Android mail / contacts / calendar app? 

 

If so, please make sure Outlook for Android can do complete, automatic, in the background, two-way sync with our contacts stored on Exchange Online, similar to the way it works with Outlook 2016/2019 for Windows Desktop. 

 

It is vital that we be able to update contacts on our mobile devices and have them sync to the cloud reliably and transparently, and that contacts modified on other mobile or desktop devices update on all devices.

MLovelet
Copper Contributor
‎Sep 29 2019 03:00 PM
‎Sep 29 2019 03:00 PM

Hi,

 

Will this changes affects plug-ins developed for Outlook windows application accessing Office 365 accounts? Thanks.

0 Likes
Like
Kendall England
Brass Contributor
‎Oct 15 2019 06:40 PM
‎Oct 15 2019 06:40 PM

 @Steven Seligman  had a good question. What happens with App Passwords and MFA users.  Will they not be able to use Outlook Desktop?  Kind of sounds like it.  I've got to be missing something.  

basic.jpg

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authen...

 

"Blocking Basic authentication will block app passwords in Exchange Online."

0 Likes
Like
Gerd_Cardinale
Copper Contributor
‎Oct 22 2019 09:04 AM
‎Oct 22 2019 09:04 AM

We have a 3rd party system which connects through anonymous smtp (no login credentials) to exchange online. will this be also not working after this change?

0 Likes
Like
oesg28
Copper Contributor
‎Oct 28 2019 01:44 PM
‎Oct 28 2019 01:44 PM

We have a small program using CDO library.

 

Are the programs using CDO going to be affected?

0 Likes
Like
nadavlavy
Copper Contributor
‎Dec 16 2019 06:24 AM
‎Dec 16 2019 06:24 AM

Does this affect the "Exchange Reporting Services" a.k.a "Office 365 Reporting web service"

(https://docs.microsoft.com/en-us/previous-versions/office/developer/o365-enterprise-developers/jj984...))

 

If so, is there a new API that enables the functionality of message-trace and the other very useful reports?

Or, will these APIs now support OAuth2.0 authentication?

 

 

 

0 Likes
Like
HakTech1400
Copper Contributor
‎Dec 18 2019 10:48 PM
‎Dec 18 2019 10:48 PM

Currently we are using EWS API with basic authentication to automate CRUD activities for outlook tasks and calendar items. NOT outlook mail (sending/retrieving messages/mails etc.)

Looking at the notice where the basic authentication will stop working by October 2020, i have started to explore the alternative which is moving to Microsoft Graph API.

But i noticed, there is not yet CRUD for tasks and calendar items under Outlook Mail.

I found the below while googling but seems is not working.

POST https://graph.microsoft.com/beta/me/outlook/tasks POST https://graph.microsoft.com/v1.0/me/events

My question is, will the EWS with basic authentication affect the Outlook tasks and calendar events as well?

Why i don't see them in the Graph API explorer? they should be under Outlook Mail

I appreciate if you guys can give me insight

0 Likes
Like
Geoffrey Bronner
Steel Contributor
‎Dec 19 2019 09:55 AM
‎Dec 19 2019 09:55 AM

We've moved a large business process that manages thousands of events off the EWS API to Graph and you can definitely do CRUD operations against a user's calendar (or a group) using the Graph. 

 

https://docs.microsoft.com/en-us/graph/api/resources/calendar?view=graph-rest-1.0

 

Tasks were out of scope for us but my recall is that the options in the Graph were focused on Planner and To-Do action.

0 Likes
Like
HakTech1400
Copper Contributor
‎Dec 20 2019 05:33 AM
‎Dec 20 2019 05:33 AM

Thanks Geoffrey for your response.

 

But i was wondering if the coming deprecation of basic authentication will affect  user's calendar and Tasks using EWS ?

 

Thanks again.

0 Likes
Like
HakTech1400
Copper Contributor
‎Dec 20 2019 06:53 PM
‎Dec 20 2019 06:53 PM

hi @Geoffrey Bronner ,

 

Yes, i have tried the Graph API and it worked. It was permission issue.

 

But the calendar/tasks is still in beta. Also i noticed there are few properties are missing.

 

1- Priority
2- % complete
3- Reminder (minutes)
5- Total work
6- Actual work
7- Mileage
8- Billing
9- Companies

 

Are those properties being worked out and should be in V1 soon?

 

Thanks

0 Likes
Like
nadavlavy
Copper Contributor
‎Feb 10 2020 02:17 AM
‎Feb 10 2020 02:17 AM

@Mich- 

Does this affect the "Exchange Reporting Services" a.k.a "Office 365 Reporting web service"

(https://docs.microsoft.com/en-us/previous-versions/office/developer/o365-enterprise-developers/jj984...))

 

If so, is there a new API that enables the functionality of message-trace and the other very useful reports?

Or, will these APIs now support OAuth2.0 authentication?

we really need a response on this one. this is business critical for us, and from the blog post it is unclear.

 

Thanks,

Nadav

0 Likes
Like
Maciej_Jerenkiewicz
Copper Contributor
‎Feb 10 2020 04:28 AM
‎Feb 10 2020 04:28 AM

Hello,
Is it possible to disable basic authentication earlier, e.g. through the GPO or changes in the registry?
We are preparing to implement o365 and we wanted to check the security features during testing

0 Likes
Like
Michel de Rooij
MVP
‎Feb 10 2020 06:49 AM
‎Feb 10 2020 06:49 AM

@Maciej_Jerenkiewicz Preferred would be to block Basic Auth (or legacy authentication) at the back-end; to accomplish this:

 

Cassandra Crawford
Copper Contributor
‎Apr 16 2020 11:03 AM
‎Apr 16 2020 11:03 AM

Announced 10 days ago - "

In response to the unprecedented situation we are in and knowing that priorities have changed for many of our customers we have decided to postpone retiring Basic Authentication in Exchange Online (MC204828) for those tenants still actively using it until the second half of 2021. We will provide a more precise date when we have a better understanding of the impact of the situation.

 

How does this affect me?

 

We will continue to disable Basic Authentication for newly created tenants by default and begin to disable Basic Authentication in tenants that have no recorded usage starting October 2020. And of course you can start blocking legacy authentication today, you don’t need us to do anything if you want to get started (and you should).

We will also continue to complete the roll-out of OAuth support for POP, IMAP, SMTP AUTH and Remote PowerShell and continue to improve our reporting capabilities. We will publish more details on these as we make progress.

 

What do I need to do to prepare?

 

This change allows you more time to update clients, applications and services that are using Basic Authentication to use Modern Authentication."

0 Likes
Like
nadav-lavy-exabeam
Copper Contributor
‎Sep 23 2020 03:03 AM
‎Sep 23 2020 03:03 AM

Does this affect the "Office 365 Reporting web service"

(https://docs.microsoft.com/en-us/previous-versions/office/developer/o365-enterprise-developers/jj984...))

 

If so, is there a new API that enables the functionality of message-trace and the other very useful reports?

Or, will these APIs now support OAuth2.0 authentication?

0 Likes
Like
ChanChine
Copper Contributor
‎Aug 17 2022 09:51 AM
‎Aug 17 2022 09:51 AM

If my apps are using mailboxes that are still in Exchange on-premises, yet we are in a hybrid state, will EWS also fail come the October deadline for such applications? 

0 Likes
Like
Armugharaj
Copper Contributor
‎Jan 31 2023 10:40 PM
‎Jan 31 2023 10:40 PM

Hi Team,

 

Extension of using Basic Authentication is also expired on 31st Jan 2023, Kindly confirm 

0 Likes
Like
Co-Authors
Version history
Last update:
‎Sep 01 2022 09:50 AM
Updated by: