Exchange Online Security Updates Focus on EWS, Public Folders, Mail Transport, and More

On November 18, as interest in the Microsoft community turned to the marketing fest at the Ignite conference in Chicago, Microsoft released an interesting technical community post covering security updates for Exchange Online. Given the fundamental role that email plays within Microsoft 365, this is a topic that every tenant needs to pay attention to.

Many of the items listed are restatements of previous news, like the February 2025 deprecation of the App Impersonation RBAC role (I covered this point as a footnote in yesterday’s article). Basically, this is a role that allows Exchange Web Services (EWS) apps to access mailboxes. Microsoft wants to remove the role because it can be a vector to potential mailbox compromise. The problem is that tenants might be unaware that the role is used by an app or script. Microsoft has a PowerShell script to locate accounts that hold the role. It’s worth running the script, just in case.

It’s worth noting that equivalent Graph permissions are available to access content in user mailboxes. Microsoft answer is that tenants should use RBAC for Applications to restrict app access to the set of mailboxes that need to be processed. I agree.

Microsoft restated the plan to remove EWS from Exchange Online in October 2026, noting that the change will break any app based on EWS. Originally, Microsoft originally planned to implement an exception to allow their own EWS-based apps to continue running, but now they say that they’ll phase out EWS well before October 2026.

Gaps in Graph Coverage for EWS Functionality

More interestingly, Microsoft points to known gaps where Microsoft Graph APIs are not capable of taking over from EWS today. They say that they are working to support access to archive mailboxes, but don’t have a delivery date. I imagine that the Exchange admin center will need this API to perform tasks like enabling archives, reporting archive mailbox size, and so on.

Microsoft also noted that they will soon release Graph support for Application settings for Exchange client applications to cover user configuration and folder associated information (FAI). User configurations and FAIs are stored in mailboxes and used to hold settings needed by applications. I imagine that this work involved an extension of the current Graph support for mail items.

The big news in the announcement is that Microsoft says that they cannot deliver Graph support for “several admin features that are available to developers via EWS,” such as setting folder permissions or managing delegates for user mailboxes. Once EWS is deprecated, developers who implement these features in their apps will have to find a different way, perhaps by calling PowerShell using Azure functions.

Exchange Online Management – After much investigation, we have concluded we are unable to provide Graph API access to several admin features that are available to developers via EWS. Once Microsoft removes EWS from Exchange Online, to perform tasks such as setting folder permissions or managing delegates for a user, you will need to call PowerShell in code or use alternative ways to deliver this functionality.

The Final Demise of Public Folders

In addition, Microsoft says that they will no longer provide APIs to programmatically manage public folders after the removal of EWS in October 2026. I assume Microsoft thinks it’s simply not worthwhile to recreate public APIs for public folders because of low usage. Public folders were hot technology when Exchange 4.0 appeared in 1996 and have been on a downhill slope ever since. Despite suitable efforts to eradicate public folders over many years, use persists in a small number of Exchange Online tenants. Microsoft will continue to provide access via “supported” Outlook clients and for bulk import/export.

I presume that the new Outlook for Windows will support public folders. An option is available to add one or more public folders to Outlook favorites but the button to actually add the folder is missing. Maybe Copilot for Outlook didn’t like it. No doubt the button will show up before Microsoft removes for support for Outlook classic sometime after 2029.

I’m not sure if tenants will take the news as a broad hint that they should get off public folders (they should). It’s just sad that the tools to analyze the data in public folders and move what needs to be kept to a more modern alternative are so weak.

Exchange Online Security Updates in Mail Transport

Rounding out the post, Microsoft covers a bunch of recent improvements around DNSSEC and DANE. The news is that Mandatory Outbound SMTP DANE is coming in May 2025 with per-tenant and per-domain settings. Microsoft didn’t cover other efforts to increase the security of the Exchange Online email service, like the introduction of the external recipient rate limit (due on January 1, 2025) or the continuing effort to force hybrid tenants to upgrade on-premises servers to a supported version before email can flow across a connector to Exchange Online.

Finally, Microsoft notes that they recently added OAuth support to the preview of the High Volume Email feature (HVE). This summer, I spent some time working with HVE and ECS, the Azure Email Communication service. Both can do a job for tenants that needs to send bulk email, with HVE a better option for internal-focused email and ECS more suitable for outbound communications. You can read more, including sample PowerShell to send email via HVE and ECS, on Practical365.com.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.