Read time: 9 min
Configuring your Exchange Online system as per the modern Graph API and removing the Exchange Web Services code is a bit stressful. But EWS to Microsoft Graph Migration is crucial, or your users will lose access to their mailboxes permanently after April 2027. I successfully completed this complicated switch recently and thus know its ups and downs.
Here is a quick overview of how to move from EWS to Graph API in Office 365:
- Find out your dependency on the EWS (I used EWS Usage Report for that).
- Register a new app and assign required permissions.
- Replace the EWS code with Graph API code and implement modern OAuth2.0 authentication flow.
- Test the changes and fix any errors if found.
What is EWS and Graph API?
Exchange Web Services (EWS) was introduced with the Exchange Server 2007 and is based on the SOAP (Simple Object Access Protocol) protocol. It uses XML files for communication and has been the primary way for external applications to interact with different Exchange components, like mailboxes, calendars, contacts, etc.
Microsoft Graph API is the solution for all the issues with EWS. This modern API system works on the principle of REST APIs and Microsoft is all set to make it the default communication protocol by replacing it with EWS in the entire Microsoft 365 ecosystem. If you haven’t tried it yet, you will love it. It allows you to access data from Exchange Online, Teams, SharePoint, OneDrive, and Entra ID using lightweight JSON.
Why is EWS to Microsoft Graph Migration Unavoidable?
If you are an Exchange admin like me, you already know about the EWS deadline. So saying no is not even an option. You have to migrate from EWS to Graph for the following reasons:
- To Continue Working: The official date for EWS retirement is set. After April of next year, all the applications making use of EWS for Exchange Online will not work.
- New Security Standards: You remember the Midnight Blizzard security incident in 2024, legacy EWS access is one of its culprits. With Graph API and OAuth 2.0 modern authentication protocols, you are much more safe.
- Performance: As I told you above, Graph uses REST and JSON. So, it requires less bandwidth and executes queries faster in comparison to XML in EWS.
- More Functionality: An app using EWS, can only access emails and calendars. But after migrating from EWS to Microsoft Graph, your app can read an email, upload attachments to SharePoint, and do much more.
How to Migrate EWS to Microsoft Graph | Step-By-Step Guide
For this transition, you will also need your developers (to update code). You and the coding team must work in multiple phases to get the work done without breaking anything.
Phase 1: Identity where you need to make the changes.
Make sure you get this right. I remember skipping a very critical script, which later turned into a nightmare. I suggest you to:
- Run the EWS Usage Report: This is the fastest way to get the details you want. Navigate to the Microsoft 365 Admin Center and run the EWS Usage Report.
- Identify Legacy Software: Flag all custom scripts, backup tools, or data recovery utilities that rely on EWS.
- Contact Vendors: For third-party software, instruct the vendor to immediately update or migrate from EWS to Graph-compatible version.
Phase 2: Get a new App and grant it permissions
- Navigate to Microsoft Entra ID > App registrations and create a new application profile.
- Generate a Client Secret or upload a Certificate. Graph does not accept basic authentication or legacy NTLM.
- Update the legacy EWS permissions to Graph API permissions. Refer to official Microsoft documentation to know which permission to use.
Note: Remember to give the admin consent for the tenant in which you are updating the API to avoid errors like ‘403 Forbidden’ post EWS to Microsoft Graph migration.
Phase 3: Code Update
Now, get your software engineers and let them handle the coding part. Make them:
- Remove all the old SOAP-based libraries and the old EWS Managed API wrapper.
- Integrate the latest Microsoft Authentication mechanism, OAuth2.0.
- Remap EWS operations to modern REST (Graph) endpoints.
Pro Tip: Graph API uses aggressive throttling to avoid overuse of resources. Ask the developers to write code to handle this.
Phase 4: Testing the updates
- After migrating from EWS to Microsoft Graph, run the changes in a controlled sandbox environment.
- Monitor the logs to make sure actions like data access, user login, etc., are working fine.
Note: If you plan to make the changes after October 2026, then create an allow list for your registered apps and add the apps making use of EWS to the list.
EWS vs Graph API | How do they differ?
Review this breakdown to understand the architectural difference in Exchange Web Services and the Graph API to get an idea of what changes to expect when you migrate from EWS to Graph
|
Feature |
Exchange Web Services (EWS) |
Microsoft Graph API |
|
Architecture |
SOAP (Simple Object Access Protocol) |
REST (Representational State Transfer) |
|
Data Format |
XML (Heavy, strict formatting) |
JSON (Lightweight, web-standard) |
|
Endpoint |
outlook.office365.com/EWS/Exchange.asmx |
graph.microsoft.com |
|
Scope of Access |
Strictly Exchange data |
Unified access (Exchange, Teams, SharePoint) |
|
Authentication |
Basic Auth (legacy) or OAuth |
Strictly OAuth 2.0 / MSAL |
|
On-Premises Support |
Yes (Exchange Server 2016/2019) |
No (Exchange Online only) |
What to Do if You Get Errors?
I have tried my best to keep the flow as accurate and error-free as I can. But still, this API migration may hit technical difficulties. Here are the most common errors and their fixes:
1. HTTP 403 Forbidden
This is the most common error that you may get when you migrate EWS to Microsoft Graph. It means your app is authenticated, but Microsoft is blocking the specific request.
- The Cause: Missing scopes or lack of Admin Consent.
- The Fix: Go to Entra ID > App Registrations > API Permissions. Verify the permissions. Also, make sure that the ‘Grant admin consent’ button is clicked.
2. HTTP 429 Too Many Requests
Graph API has much stricter service protection limits than the old EWS. If you hit this, your migration will pause or fail.
- The Cause: Your scripts are making calls too fast, or you are moving too much data at once.
- The Fix: I had my team of developers modify the backend code. They make it so that the requests only retry after a specified number of seconds.
3. HTTP 401 Unauthorized
This usually means your token is invalid or has expired.
- The Cause: Incorrect Client Secret, expired certificate, or the token was requested for the wrong resource.
- The Fix: Verify your Client Secret hasn’t expired, and also verify if correct Scope parameters are set.
How much time do you have for the migration?
The clock is ticking aggressively. Microsoft has laid out a strict, non-negotiable timeline for Exchange Online tenants:
- June 2026: Microsoft will begin blocking EWS access for users without specific license rights to EWS.
- October 1, 2026: EWS will begin to be disabled globally by default across all Exchange Online tenants.
- April 1, 2027: It’s the final EWS shutdown. Microsoft will permanently block all EWS requests. So, make sure you migrate from EWS to Graph before this date.
Note: This deprecation applies only to Exchange Online. If you run Exchange Server on-premises, EWS will continue to function as usual.
Author’s Verdict on EWS to Microsoft Graph Migration
Do not wait until Q3 of 2026. Start your EWS to Microsoft Graph migration right away with this guide. Be patient as this job requires rewriting code, testing authentication & workflows, and handling the Graph API’s current shortcomings. It may seem like a headache, but it is extremely crucial.
However, in case you already have a new Office 365 tenant (configured for Graph API) and only want to move data from the old tenant to the new, use the Kernel Office 365 Migration tool. It is an advanced software, specially designed for admins, to securely move your Exchange Online, SharePoint Online, OneDrive, and other Office 365 components across different or same tenants. Our tool supports Microsoft Graph APIs and modern authentication logins. It is integrated with parallel processing to speed up large-scale data transfers, with high data accuracy and minimal downtime.
Frequently Asked Questions
Have any questions related to EWS to Microsoft Graph Migration? Check out these FAQs in which we tried to answer all the common users’ queries related to the migration.
A. If you do not migrate or set up an Allow List, any application trying to connect to your Exchange Online tenant via EWS will receive an access denied error.
A. Yes, currently, you cannot manage public folders, access certain archive mailbox functions, or specific organizational configurations with Graph. But Microsoft is working on it, and you will soon see support for these.
A. No. The EWS deprecation strictly applies to Exchange Online (Microsoft 365). On-premises Exchange servers will continue to support EWS, as Graph API is not natively available for on-premises servers.
A. You must contact the support team of your Exchange backup tool immediately and ask them if they have completed EWS to Microsoft Graph migration.
A. No. Microsoft Graph API requires modern authentication using OAuth 2.0. So, after migrating from EWS to Microsoft Graph, make sure to implement the latest authentication.
