Microsoft announced on May 8, 2026, that it will retire direct certificate-based authentication (CBA) for Exchange ActiveSync (EAS) by the end of 2026. If your organization uses certificates to authenticate mobile devices against Exchange Online, you must migrate to a new method before the deadline, or your users' mobile email will stop working. This article explains what the change means, who is affected, and what steps you need to take.

Source

Microsoft is shutting down Exchange Web Services (EWS) — the nearly 20-year-old API that Exchange uses for hybrid coexistence — in Exchange Online in two phases: a soft block on October 1, 2026, and a permanent hard shutdown on April 1, 2027. If you run Exchange in hybrid mode, meaning some mailboxes are on-premises and some are in Microsoft 365, this requires a two-step migration. The first step should already be complete; the second step must be finished before October 2026 and requires Exchange Server Subscription Edition (SE). Microsoft has confirmed there will be no exceptions past April 2027.

Source

In hybrid Exchange environments, organizations have long been forced to keep an on-premises Exchange Server running just to manage Exchange-related settings for mailboxes already hosted in Exchange Online. Microsoft has been addressing this with the Cloud-Managed Remote Mailboxes feature, and its latest addition — writeback — entered public preview on May 15, 2026. Writeback automatically pushes Exchange attribute changes made in Exchange Online back to your on-premises Active Directory, so internal line-of-business applications that read from AD stay in sync. This article explains what writeback does, what you need to configure it, and how it supports decommissioning your last on-premises Exchange Server.

Source

La vulnérabilité CVE-2026-42897 affecte Exchange Server 2016, 2019 et SE. Découvrez les mesures d'urgence pour atténuer la menace sans patch officiel.

Le post Exchange Server – CVE-2026-42897 : cette faille zero-day est déjà exploitée ! a été publié sur IT-Connect.

Microsoft has released the Change Optics Report in public preview for Exchange Online. This new report, available in the Exchange Admin Center (EAC), identifies emails in your tenant that will be affected when Microsoft enforces an upcoming service change — before the change takes effect. Currently, it covers two scenarios: outbound mail sent from your default onmicrosoft.com domain, and incoming Direct Send traffic. This article explains what the report shows, how to access it, and what steps to take for each scenario.

Source

Microsoft announced on April 15, 2026, a second paid security update period—called "Period 2"—for Exchange Server 2016 and 2019. This extends coverage from May through October 2026 for organizations unable to complete their migration to Exchange Server Subscription Edition (SE). The program covers only security-related patches and requires a separate purchase via a Microsoft Enterprise Agreement. This article explains what the program includes, who qualifies, and the practical limitations.

Source

Microsoft announced a breaking change to the Microsoft Graph API affecting Exchange Online: from December 31, 2026, applications that modify sensitive email properties -- such as the subject, body, or recipients -- on delivered messages must hold elevated Mail-Advanced.ReadWrite permissions. Until now, the standard Mail.ReadWrite permission was sufficient for these operations. The new permissions require explicit approval from the tenant administrator ("admin consent"). If you operate Microsoft 365 and have custom applications or third-party tools that interact with email via the Graph API, you need to audit and potentially update these apps before the enforcement date.

Source

Exchange Online now lets you choose, per outbound connector, whether SMTP DANE and MTA-STS are enforced opportunistically, mandatorily (for DANE), or not at all. These new connector modes give you granular control over how strictly Exchange Online enforces modern email security standards when sending mail to external domains.

Source

Microsoft is developing Priority Cleanup V2, an updated data-purging feature in Microsoft Purview that deletes Exchange Online mailbox content even when protected by retention policies or eDiscovery holds. This proposed version is designed to reduce the number of approval stages from three to two, accelerate deletion from days to hours, and introduce batch-processing safeguards.

Source

Microsoft has announced that moderation approvals in Exchange Online are transitioning from voting buttons to Actionable Messages Adaptive Cards, bringing Approve | Reject buttons directly into email bodies. This update enables moderators to approve or reject messages from any Outlook client, including Windows, macOS, web, and mobile. The rollout begins in late February 2026 and concludes by early April 2026 for Worldwide and GCC environments. The legacy voting button method remains available until July 31, 2026, after which Actionable Messages Adaptive Cards will be the only supported method.

Source

Microsoft announced on February 12, 2026, a significant change to its Exchange Online PowerShell module: the deprecation of the -Credential parameter for the Connect-ExchangeOnline cmdlet. This change represents part of a broader initiative to enhance security across Microsoft 365 administrative interfaces by eliminating authentication methods that do not support multifactor authentication.

Source

Microsoft is retiring Exchange Web Services (EWS) in Exchange Online, with a phased shutdown beginning October 1, 2026, and complete retirement by April 1, 2027. You must migrate your applications to the Microsoft Graph API before the final deadline to maintain access to Exchange Online mailboxes. This retirement only affects Exchange Online in Microsoft 365 environments and does not impact on-premises Exchange Server installations. Organizations using EWS-dependent applications face service interruptions unless they transition to supported alternatives. The nearly 20-year-old protocol no longer meets modern security, scale, and reliability requirements.

Source