Industry Update
EWS Deprecation — What's happening and what to do
Microsoft is retiring Exchange Web Services (EWS) for Exchange Online. If your organisation syncs contacts with PowerShell scripts that rely on EWS, those scripts will stop working. This page explains the timeline, the impact, and a concrete migration path.
Official deprecation timeline
Microsoft first announced EWS deprecation in July 2018 and has progressively tightened restrictions since then. Here are the key dates:
| Date | Event |
|---|---|
| Jul 2018 | Microsoft announces EWS will no longer receive feature updates |
| Jan 2022 | Basic authentication for EWS disabled for new tenants |
| Oct 2022 | Basic auth permanently disabled for all Exchange Online protocols |
| Apr 2023 | ApplicationImpersonation role blocked for new app registrations |
| Feb 2025 | ApplicationImpersonation blocked for all apps (existing included) |
| Oct 2026 | EWS REST API fully decommissioned for Exchange Online — all EWS calls will return HTTP 403 |
Bottom line: Any PowerShell script or tool that calls https://outlook.office365.com/EWS/Exchange.asmx will stop working by October 2026 at the latest. Many are already broken after the February 2025 impersonation lockdown.
What is affected
The deprecation affects any workflow that talks to Exchange Online via the EWS SOAP endpoint. Common examples in the contact-sync space:
- Community PowerShell scripts like EWSContactSync, CopyContactsOnly, or custom
New-EWSContactFolderscripts - Tools built on the EWS Managed API (
Microsoft.Exchange.WebServicesNuGet package) - Any app using
ApplicationImpersonationto access other users' mailboxes - On-premises Exchange hybrid deployments that proxy EWS calls to Exchange Online
What is NOT affected
- On-premises Exchange Server — EWS remains supported for Exchange Server 2019 / Subscription Edition
- Microsoft Graph API — the replacement API is fully supported and actively developed
- CYNC — uses Microsoft Graph from the ground up and is not affected at all
Why Microsoft Graph API is the future
Microsoft Graph is the single unified API for all Microsoft 365 services. It replaces not only EWS but also the Azure AD Graph API and several other legacy endpoints.
| EWS (legacy) | Microsoft Graph | |
|---|---|---|
| Protocol | SOAP / XML | REST / JSON |
| Auth | Basic auth (removed), OAuth + Impersonation | OAuth 2.0 with granular scopes |
| Permissions | All-or-nothing impersonation | Fine-grained application permissions per API |
| Contact access | ApplicationImpersonation (blocked Feb 2025) | Contacts.ReadWrite application permission |
| Status | Being retired (Oct 2026) | Actively developed |
| SDK | EWS Managed API (archived, no updates) | Microsoft Graph SDK (.NET, Python, JS, etc.) |
Your migration options
If you currently use an EWS-based approach to push company contacts into employee mailboxes, you have three options:
Rewrite your scripts to use Microsoft Graph
Replace every EWS SOAP call with the equivalent Graph REST call. This requires re-implementing authentication (certificate or client-secret based OAuth), contact CRUD operations, delta-sync logic, and error handling.
Effort: High — typically weeks of development, testing, and rollout.
Use a cloud-hosted SaaS product
Several cloud-based contact-sync services exist (CiraSync, sync.blue, etc.). They handle the Graph API integration for you, but your directory data leaves your network and is processed on third-party servers.
Trade-off: Convenience vs. data sovereignty. Typically $3–$5 per user per month.
Switch to CYNC — on-premise, Graph-native
CYNC runs as a Windows Service on your own infrastructure. It talks directly to Microsoft Graph with certificate-based authentication, syncs contacts into the standard Contacts folder, and keeps all data on-premise.
- ✓Built on Microsoft Graph — not affected by EWS retirement
- ✓On-premise — directory data never leaves your network
- ✓Certificate-based auth — no shared secrets
- ✓From €0.29/user/month — a fraction of cloud alternatives
- ✓10-user free tier — test with your real tenant, no credit card
How CYNC replaces your EWS scripts
Where legacy scripts typically run as a scheduled task calling EWS, CYNC is a Windows Service that runs continuously and uses Microsoft Graph:
| Capability | EWS script | CYNC |
|---|---|---|
| API | EWS SOAP (deprecated) | Microsoft Graph REST |
| Execution | Scheduled task (runs periodically) | Windows Service (always running, configurable interval) |
| Sync logic | Full replace on each run | Delta sync — only changes are written |
| Contact folder | Custom folder under MsgFolderRoot | Standard Contacts well-known folder |
| Correlation | Display name matching (fragile) | Open Extensions with stable IDs (com.itbaer.cync) |
| Admin UI | None — console output | WinUI 3 dashboard with live progress |
| Logging | Text files (if any) | Structured logs (Serilog, rolling files) |
Getting started
Switching from an EWS script to CYNC takes about 20 minutes:
Clean up old EWS contact folders
Run the cleanup script from the EWS Migration guide to remove the non-standard folders created by your old script. This prevents duplicate contacts.
Install CYNC
Download the installer and follow the Getting Started guide. CYNC installs as a Windows Service — no manual scheduling needed.
Register an Entra ID app
Create an app registration with Contacts.ReadWrite application permission and certificate authentication. The Entra ID Setup guide walks you through every step.
Run your first sync
Open the CYNC dashboard, connect your tenant, select target users, and trigger a sync. Contacts appear in the standard Contacts folder — visible in Outlook, Teams, and mobile devices immediately.
Disable your old scheduled task
Once you've confirmed CYNC is syncing correctly, disable or remove the old EWS script from Task Scheduler. You're done.
Frequently asked questions
Will EWS still work for on-premises Exchange?
Yes. The EWS deprecation only applies to Exchange Online. On-premises Exchange Server 2019 and Exchange Server Subscription Edition continue to support EWS. However, if you plan to move mailboxes to Exchange Online in the future, migrating to Graph API now avoids a second migration later.
Can I keep my EWS script running until October 2026?
It depends. If your script uses ApplicationImpersonation, it broke in February 2025 when Microsoft blocked that role for all apps. Scripts using delegated permissions may still work but will fail when EWS is fully decommissioned in October 2026.
Does CYNC work without internet?
CYNC requires outbound HTTPS access to Microsoft Graph endpoints (graph.microsoft.com and login.microsoftonline.com). No inbound ports need to be opened. All processing and data storage happens locally on your server.
What about Outlook for Mac and Outlook on the Web?
CYNC writes contacts to the Exchange Online mailbox via Graph API. Those contacts are visible in every Outlook client (Windows, Mac, Web, mobile) and in Microsoft Teams — anywhere that reads the default Contacts folder.
How is CYNC different from CiraSync?
CiraSync is a cloud-hosted service — your directory data is processed on their servers. CYNC runs on your infrastructure, so data never leaves your network. CYNC also costs significantly less: from €0.29/user/month. CiraSync doesn't publish pricing, but figures widely reported online put it around $5/user/month. See pricing →
Ready to move off EWS?
Start with the free tier — 10 users, no credit card, no time limit.