TRY NOW
book meeting
BACK TO KB LIST

The HTTP request was forbidden with client authentication scheme

KB ID: 4796
Product: Veeam Data Cloud for Microsoft 365
Veeam Backup for Microsoft 365
Published: 2025-11-25
Last Modified: 2026-04-08
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please, try again later.

Challenge

Microsoft 365 backups display the following error:

The HTTP request was forbidden with client authentication scheme 'Anonymous'.

This error typically occurs when specific mailboxes are accessed during backup jobs.

Cause

It was confirmed on March 27th, 2026, that Microsoft recently applied a patch to correct how Exchange Online enforces Exchange Web Services (EWS) access. Previously, some environments were able to access mailboxes via EWS even when it was not explicitly enabled (i.e., $Null status). After Microsoft corrected this behavior, EWS must now be explicitly enabled at both the organization and mailbox levels for backups to succeed.

For more information, please reference: The way to control EWS usage in Exchange Online is changing


For details about the occurrence of this issue from December 2025, please refer to the More Information section at the bottom of this article.

Solution

Microsoft provides training resources for utilizing PowerShell to manage Exchange Online:
Microsoft Learning Center: Manage Exchange Online by using Windows PowerShell

To address the root cause of the problem, confirm and configure EWS access to be explicitly enabled at both the organization and mailbox level:

  1. Review the EWS enablement status at both the Organization and Mailbox level using the following PowerShell commands:
#Get the organization's EwsEnabled state.
Get-OrganizationConfig | Fl EwsEnabled
#Get all mailboxes where EwsEnabled state is not set to $true.
Get-CASMailbox -ResultSize Unlimited | Where-Object { $_.EwsEnabled -ne $true } | Select-Object Identity, PrimarySmtpAddress, EwsEnabled
  1. If the output results for either org or mailbox are anything other than an explicit True, access via EWS must be enabled using the following commands:
#Set the organization's EwsEnabled state to $true.
Set-OrganizationConfig -EwsEnabled $true
#Bulk set EwsEnabled to $true for all mailboxes where it is not already set to $true.
Get-CASMailbox -ResultSize Unlimited | Where-Object { $_.EwsEnabled -ne $true } | Set-CASMailbox -EwsEnabled $true
If preferred, mailboxes may be individually modified using the following command: 
#Granularly set a single mailbox's EwsEnabled state to $true
Set-CASMailbox mailbox@address.com -EwsEnabled $true
  1. Wait. The new values may take up to 24 hours to replicate and take effect.
  2. Re-check the backup job again

More Information

Similar Issue from December 2025

Challenge

Microsoft 365 backups display the following error:

The HTTP request was forbidden with client authentication scheme 'Anonymous'.

This error typically occurs when specific mailboxes are accessed during backup jobs.

Cause

Following a coordinated investigation with Microsoft, we have confirmed that certain subscription plans, such as Exchange Online Kiosk and similar limited-service SKUs, may not support the API required by Veeam Backup for Microsoft 365.

As a result, calls to the API return an HTTP 403 Forbidden error, causing backup jobs to fail.

Solution

Status: This issue is resolved as of December 2025.
Issue Root Cause: Mailboxes licensed with Exchange Online Kiosk, Microsoft 365, and Office 365 F1, and Microsoft 365 and Office 365 F3, were temporarily blocked from accessing the API used by Veeam for backup operations. The access has been restored, and the issue has been resolved.

For more information, please refer to the following Microsoft article: Update to EWS Access for Kiosk / Frontline Worker Licensed Users.

Veeam R&D continues to work closely with Microsoft on the upcoming deprecation of the EWS API. A future update will address these changes. A Veeam Support Statement regarding EWS deprecation is available on KB4820.

If this KB article did not resolve your issue or you need further assistance with Veeam software, please create a Veeam Support Case.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case
By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Start using Veeam:
Download the product
&
Activate the license key
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please, try again later.