When exactly is EWS being turned off?

Microsoft has announced that Exchange Web Services (EWS) will stop accepting requests from third-party applications for Exchange Online on October 1, 2026. On-premises Exchange Server is not affected by this deadline.

Will my EWS contact-sync PowerShell script still work after October 2026?

No. Any script that authenticates to Exchange Online and calls EWS endpoints (e.g. Exchange.asmx) will start receiving HTTP 403 responses after the cutoff. You must migrate to Microsoft Graph API before that date.

What's the Microsoft Graph equivalent for contact sync?

Use the /users/{id}/contactFolders and /users/{id}/contacts endpoints with the Contacts.ReadWrite application permission. Combine with /users for directory reads (User.Read.All) and delta queries to sync only changed items.

Do I have to rewrite my script from scratch?

If your only use case is GAL-to-contacts sync, the pragmatic option is to replace the script entirely with CYNC — a Windows Service built on Graph API from day one, with delta sync, a dashboard, and silent-install MSI. It covers most admins' use cases out of the box and is free for up to 10 users.

EWS is turning off in October 2026 — what contact-sync admins need to do right now

Hard deadline: EWS stops accepting Exchange Online requests on October 1, 2026. Every EWS-based contact-sync script will fail on that date.

The timeline, exactly

July 2018 — Microsoft announces EWS will receive no new feature updates.
Sep 2022 — Basic Authentication for EWS turned off for Exchange Online.
Oct 2023 — Microsoft announces concrete retirement date.
Oct 1, 2026 — EWS returns HTTP 403 for all third-party apps against Exchange Online.

What breaks on day one

Any tool in your environment that calls https://outlook.office365.com/EWS/Exchange.asmx will fail. The common culprits for contact-sync admins:

Custom PowerShell scripts using Microsoft.Exchange.WebServices.dll.
Community scripts like EWSContactSync, CopyContactsOnly, and similar named variants.
Legacy versions of third-party contact-sync tools that haven’t migrated to Graph yet.
Any signature-management or out-of-office tool still on EWS application impersonation.

Step 1 — Audit what’s still using EWS

Microsoft provides an EWS usage report in the Microsoft 365 admin center under Reports → Usage → EWS usage. Pull the last 90 days and identify:

Every service account that has logged EWS requests.
The source IP(s) — helps you trace which on-prem box is running the script.
The client AppID — tells you which tool is calling.

Step 2 — Pick the right Graph-based replacement

For contact sync specifically, you have three realistic options:

Rewrite your script to use Microsoft Graph’s /users/{id}/contacts endpoint. Doable but time-consuming: you’ll need certificate auth, batching, throttling handling, delta queries, and a monitoring story.
Move to a SaaS like CiraSync or sync.blue. Fast to deploy but your directory data leaves your tenant and pricing is roughly 17× on-prem alternatives.
Install CYNC — a self-hosted Windows Service built on Graph from day one. The first 10 users are free. See the full comparison.

Step 3 — The migration checklist

Regardless of which replacement you pick, the move looks the same:

Create a new Entra ID App Registration with certificate auth and grant application permissions (for CYNC: User.Read.All, Group.Read.All, Contacts.ReadWrite).
Run the new sync tool alongside the old script for at least one full sync cycle to verify parity.
Clean up the stale contact folders created by the old EWS script — they live in a non-standard location under MsgFolderRoot that Graph can’t see. The EWS migration doc includes a cleanup script.
Disable the old scheduled task, remove EWS permissions from the old service account, and revoke any remaining client secrets.
Watch one full week of sync runs in the new tool before decommissioning the old box.

Why most admins pick CYNC for this migration

Microsoft Graph API only — no EWS, no surprises in 2026.
WinUI 3 dashboard — visibility the PowerShell script never gave you.
Delta sync + JSON batching — architected to stay well under Graph throttling ceilings at any tenant size.
Windows Server Core support for headless deployment via RMM tooling.
Free for up to 10 users, €0.18–€0.29/user/month above that.