Mailbox errors: The HTTP request was forbidden with client authentication scheme 'Anonymous'.

[Dagr]

Would be nice if someone at Veeam could list the affected licenses in https://www.veeam.com/kb4796 instead of
"To resolve this issue, ensure that a supported Microsoft 365 plan that includes full Exchange Online and Graph API support is used ".

[track1044]

@Polina,
I'm hoping you can help clarify some concerns around kb4796 and the October 2026 EWS deprecation timeline.
We're trying to plan ahead and need to understand whether KB4796 was based on confirmed Microsoft guidance or if it was a response to what turned out to be a temporary issue that has since self-resolved.

The KB states these licenses need to support Graph API, but the Microsoft documentation linked in the KB itself just shows that these licenses don't have EWS access—the other Microsoft documentation shows all licenses support Graph API.
This makes it look like an EWS availability issue rather than a Graph API support issue.
Your comment about RnD "researching a longer term solution" combined with "no certainty it won't reoccur" suggests the Graph API implementation might not be fully ready to replace EWS yet.
With October 2026 bringing global EWS deprecation, we're concerned about whether this same scenario will happen again but permanently.
Is the KB addressing a licensing gap or a transitional state while Veeam completes the EWS to Graph migration?

For planning purposes, our clients would collectively need to spend roughly 1.5 million US dollars yearly to upgrade all affected licenses based on KB4796's guidance.
We need to understand whether this is a permanent licensing requirement or a temporary workaround while the Graph API transition is completed. Any clarity you can provide on the roadmap and timeline would be incredibly helpful for our client planning.

[Polina]

Hi David,

We plan to fully switch from EWS to Graph well before the planned deprecation date. Veeam's RND is already working on it.
Graph support for those currently impacted limited licenses still needs to be confirmed by our engineering, but the current assumption indeed is that it'll do the job.
The "HTTP request was forbidden" issue seems to be self-resolved atm, but our RND keeps monitoring and investigating it. If it re-occurs, KB4796 will remain relevant - atm, we cannot see any other and more suitable workaround.

[cc-kyle]

Having similar issues intermittently with a shared mailbox. We'll get the 'anonymous' error in the evening run of the job, but it will go through without complaint in the morning run. Doesn't seem like that makes much sense if it's a license issue...

Case # 03485895

[Patrik87]

Same issue here to.
Yesterday 2 mailboxes, today 7.

2 of them has Exchange Kiosk Online license - should not work.
Rest of them has F3 licenser activated..
Case number: 07898202

Can also verify that our failed mailboxes are fine today.
Veeam needs to work on a solution with MS because EWS will be disabled under 2026...

[DHuppertz]

I can also confirm that bakups from all customers were fine last night

[Dagr]

Also confirming the issue was resolved.

[Zoddo]

Microsoft has started to send messages center communication regarding deprecation of EWS access for Kiosk / F1 / F3 licences starting on March 1, 2026.
The communication points to this blog article: https://techcommunity.microsoft.com/blo ... rs/4474299

What are the Veeam's plans for this new deadline?

[zer0]

Update to EWS Access for Kiosk / Frontline Worker Licenses
We're making some changes to Exchange Web Services (EWS).
Starting March 1, 2026, we will start to block EWS access for all mailboxes without license rights to EWS. This is another step in our ongoing commitment to enhance the security and control mechanisms of EWS.
How this will affect your organization:
The impacted licenses are:
• Exchange Online Kiosk
• Microsoft 365 and Office 365 F1
• Microsoft 365 and Office 365 F3
As stated in the Service Descriptions, these licenses do not provide access to mailboxes via EWS, but these restrictions were never enforced. With this change, EWS access for users with only these license types will be blocked.
What you need to do to prepare:
If you wish these users to continue to use EWS, and your users are licensed with one of these noted above, you’ll need to assign a new license, one containing EWS access rights. For example, you could assign an Exchange Online Plan 1 or 2 license, or a Microsoft 365 or Office 365 E3 or E5 license.
Starting March 1, 2026, requests to use EWS without a suitable license will result in a HTTP 403 response.
Learn more: Update to EWS Access for Kiosk / Frontline Worker Licensed Users
View in the Microsoft 365 admin center