Mailbox errors: The HTTP request was forbidden with client authentication scheme 'Anonymous'.

[eclipse4ever]

Same issue here; all our customers are seeing this error.
Some few, some many occurrences.
SR: #08038413

[DaStivi]

I see the problem on a customer as well, and the strange thing is we get 100% hit rate on error on the job that does backup of mail and archive, while the job that backups one-drive run 100% successful at the moment.
SR: #08041848

Because only exchange online is affected! MS disables EWS API Thats used for backup of mailboxes...

[ACrispiels]

Same issue here; all our customers are seeing this error.
Some few, some many occurrences.
SR: #08038413

Same here, and it's been going on for far too long now.
And I repeat, opening yet another support ticket won't accomplish anything except unnecessarily burden tech support.

[dhayes16]

Hello... Same issue as everyone else. Random mailboxes and license types. I figured I would upload our logs to see if they help.

SR: #08043261

[andre.simard]

Hi,

Same issue here, and powershell command provided in the KB did not solve the issue for us.

Thank you

[aeph]

Can we expect an update soon?

[DaStivi]

There where reports that a new vb365 version, that leverage rest/graph API, is ready with end of March but this is also some month old news.. not sure how development and testing worked out... Or if there might be some other/new caveats with this methode... At least with graph API there is the well known API-call limitations already from Microsoft they really don't wanna let us backup our own data ...

I hope that veeam can come along with this new version soon to hopefully fix this issues .
And I really don't understand how Microsoft is is changing things even before these dates they announce ...the biggest issue, it's not a service thats.coveres with the license terms.. as the user front end service is running and only some unintended backend isn't you can't penalize MS for service downtimes.. legally they're fine and hence they don't care , no wonder why half of Europe is trying to find a way out of this mess

[electricd7]

Having same issue as well all the sudden on 2 accounts. Haven't opened a Veeam case yet as it seems all that you have are still looing for an answer as well.

[adam_conlon]

I have logged a support ticket, so far the information I have received is as follows:

1. Run the following commands to check if EWS is allowed on for Organization and Mailbox layers
Get-CASMailbox mailbox@address.com | Fl EwsEnabled 

Get-OrganizationConfig | Fl EwsEnabled

2. If the outputs are something different from “True”, enable them using the following cmdlets
Set-OrganizationConfig -EwsEnabled $true

Set-CASMailbox mailbox@address.com -EwsEnabled $true

Please note that the new values could take up to 24hrs to replicate. Once replicated, then try the backup job again. If the job still having the same issue, please share the EwsEnabled parameters output and Fiddler traces.

After checking one of the failing mailboxes for my tenants, I did find that EWS was in fact disabled at the mailbox level but enabled for the org level. I will repeat this process for the remaining failing mailboxes in my other tenants, hopefully tomorrows backups will complete without issue.

This may help.

[athome]

@adam_conlon

1. Run the following commands to check if EWS is allowed on for Organization and Mailbox layers
Get-CASMailbox mailbox@address.com | Fl EwsEnabled 

Get-OrganizationConfig | Fl EwsEnabled

What is the mailbox referred to here? mailboxes with F1/3 license?

For one of my customers having this issue, they point one job for mail and Archive on a entra-id usergroups (with mostly E5 users but some F1 and F3) and this job fails consistently, while another job backup Onedrive for the same group of users run fine. I dont quite understand that refering to the powershell described above.

[ACrispiels]

Hello !
Try this: https://www.veeam.com/kb4820

This fix resolve my problem

PS line:
Install-Module ExchangeOnlineManagement -Scope CurrentUser
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName admin@yourcompany.pl
Get-OrganizationConfig | Select-Object EwsEnabled

When show this:

EwsEnabled
----------


You must try this:
Set-OrganizationConfig -EwsEnabled $true

Now this command:
Get-OrganizationConfig | Select-Object EwsEnabled

and you must see this:

EwsEnabled
----------
True

Ok, almost 100% up again, regardless of the mailbox license.
How ?
The EwsEnabled setting was... $false again on each tenant !!!...
How is it possible that this setting, checked and rechecked several times just last week, is incorrectly configured again ???!!!...

[tm67]

Microsoft has updated the following post: https://techcommunity.microsoft.com/blo ... ng/4383083
Also have a look at this reply https://techcommunity.microsoft.com/blo ... es/4506001

Basically what it says, you need to have the config on:
organization level: "True" or <null>
and user level: "True" or <null>

As soon as you have either of them on "False", the access will not work. At least this is from microsoft documentation.

[adam_conlon]

@adam_conlon



What is the mailbox referred to here? mailboxes with F1/3 license?

For one of my customers having this issue, they point one job for mail and Archive on a entra-id usergroups (with mostly E5 users but some F1 and F3) and this job fails consistently, while another job backup Onedrive for the same group of users run fine. I dont quite understand that refering to the powershell described above.

In my case, the 365 Exchange backups show mailboxes in the list that fail with the "HTTP" error, these are the "email@mailbox.com" email addresses that you use in the powershell script. In my case, all the mailboxes that were erroring are unlicensed 365 users with shared mailboxes attached.

Once I re-enabled EWS on these mailboxes, the backups worked without issue.

[lmendel]

I have logged a support ticket, so far the information I have received is as follows:

1. Run the following commands to check if EWS is allowed on for Organization and Mailbox layers
Get-CASMailbox mailbox@address.com | Fl EwsEnabled 

Get-OrganizationConfig | Fl EwsEnabled

2. If the outputs are something different from “True”, enable them using the following cmdlets
Set-OrganizationConfig -EwsEnabled $true

Set-CASMailbox mailbox@address.com -EwsEnabled $true

As others mentioned this fixed it for our tenants. One of the affected Tenants had some mailboxes with Ews disabled, despite being enabled on Org level.

[ACrispiels]

Here we go again, a few mailboxes again, at this stage, in two tenants...

[DaStivi]

There is an interesting catch here when trying to re‑enable EWS.
For users licensed with BPOS_S_Deskless (e.g. Business Basic, F1/F3 / Frontline licenses), it is not possible to enable EWS using the command, as the operation is explicitly blocked for this license type. ( Get-CASMailbox -ResultSize Unlimited | Where-Object { $_.EwsEnabled -ne $true } | Set-CASMailbox -EwsEnabled $true)

Write-ErrorMessage: ||Operation failed for identity "xxxx-1ef2-aaa-bbbb-123123452345red" because it is outside the write scope for the current user.

License verification error: Action 'Set-CASMailbox', 'EwsEnabled', cannot be executed for user 'xxxx-1ef2-aaa-bbbb-123123452345red' with license 'BPOS_S_Deskless'.

In C:\AppData\Local\Temp\tmpEXO_jdmv5yho.0w0\tmpEXO_jdmv5yho.0w0.psm1:1191 Characters:13
+ Write-ErrorMessage $ErrorObject
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (xxxx-1ef2-aaa-bbbb-123123452345red:ADObjectId) [Set-CASMailbox], InvalidOperationException
+ FullyQualifiedErrorId: [Server=AS8PR04MB7975,RequestId=71e75bee-25c7-08eb-04dc-1a19167738a2,TimeStamp=Tue, 07 Apr 2026 09:46:59 GMT],Write-ErrorMessage

with get-casmailboxplan you'll see also ews is disabled for the plan...

Code: Select all

Get-CASMailboxPlan | ft name,ewsenabled 

Name EwsEnabled
---- ----------
ExchangeOnlineDeskless-117e2a93-47bf-4c78-b7a0-7170e28f1e4c False
ExchangeOnline-c39daff7-798a-4b41-8555-8e6d75c1437c True
ExchangeOnlineEssentials-ee805083-93dd-4557-9905-dce7bb90812e True
ExchangeOnlineEnterprise-f3cba714-6870-4dd5-9374-09f063de7144 True

Although the option can be enabled in the plan settings, these settings should normally be applied when new users are created. However, even after enabling it at the plan level, it does not seem to take effect for existing users.
I haven’t yet tested creating a new Deskless user to verify whether the CAS mailbox plan would then correctly set EwsEnabled to True. Another possibility is that assigning a Deskless license does not fully provision the required mailbox features in the first place.

BUT:
None of these mailboxes were reported as problematic in the VB365 job, which is quite interesting.
Technically, EWS is disabled, so a backup should not be possible — yet Veeam does not raise any warnings or errors. I don’t really understand this behavior at all.

[lmendel]

Here we go again, a few mailboxes again, at this stage, in two tenants...

Same here 4 tenants affected last night, handful of mailboxes in each. Each affected mailbox had EWS disabled, where it worked fine previously.

[DaStivi]

i had costumers that fixed it with the commands... but new customers started to have the issue... so microsoft hasn't rolled out the "fix" to all tenants yet!