Migration from EWS to Graph API

ApplicationImpersonation will stop working on Microsoft 365 Exchange service accounts from February 2025 which will stop EWS Service Accounts from successfully syncing M365 calendars. You can read more about this via Microsoft’s announcement.

Therefore, you will need to migrate your EWS apps that access Exchange Online to Graph API before this date to avoid any interruption to your connections. To do this, you need to follow our ‘Migrate from EWS to Graph API Flow’.

Before you migrate: #

Before migrating, you will need to:

• Configure the same limited access rules to the new Graph service account as previously configured for the Exchange service account. This must be completed before connecting via Graph, otherwise Cronofy may be able to sync data for more accounts than we did previously. You can see how to do this via the ‘Do I need to setup any permissions before migrating?’ section.

• Ensure the account you use to authorize the M365 tenant to our Graph API application is an administrator of your Microsoft 365 tenant.

How to migrate your EWS application: #

Your IT Admin will need to migrate your existing EWS connection to use the new Graph API connector. This be can done using our Migrate from EWS to Graph API Flow. This will create a new Graph Service Account for your tenant which will ensure your existing services connected through Cronofy continue to work. To do this:

1. Log into to see your EWS application using the existing EWS service account credentials, by selecting the relevant data center link below:

• https://app.cronofy.com/enterprise_connect/authorizations
• https://app-au.cronofy.com/enterprise_connect/authorizations
• https://app-ca.cronofy.com/enterprise_connect/authorizations
• https://app-de.cronofy.com/enterprise_connect/authorizations
• https://app-sg.cronofy.com/enterprise_connect/authorizations
• https://app-uk.cronofy.com/enterprise_connect/authorizations

2. If you have a pending migration to Graph API, you will see the ‘Migrate to Graph API’ button.

3. Once clicked, you will see a page with a button ‘Connect Graph Service Account’ to start the migration flow.

4. Accept the new Graph API permissions to authorize the new application.

5. Once successfully migrated you will see a message stating ‘Successfully connected Graph Service Account’.

Are any connection types that do not need to migrate? #

Use cases that do not use ApplicationImpersonation will not be affected by this change, this includes:

• Free-busy-only Enterprise Connect connections
• Individual Connect connections

On-premise connections are also unaffected.

Do I need to setup any permissions before migrating? #

If you have setup Impersonation access with Distribution Groups, you will need to ensure that you configuring an ApplicationAccessPolicy within your Office 365 Exchange tenant with the users to which you wish to restrict access instead. This will ensure that the new Graph API application will have the same access as the previous Exchange application.

Errors #

If you experience any errors when trying to migrate the EWS application to Graph API, please refer to the common errors below. If you are still experiencing issues, please reach out to us at support@cronofy.com.

Selected user account doesn’t exist in tenant

This occurs if you attempt to connect a Graph Service Account for a different tenant than the one that was previously connected using Exchange. You need to go back and select an administrator account that exists in the same tenant as the Exchange Service Account that you’re trying to migrate.

Admin consent failed

This occurs when the account you have selected during the migration doesn’t have admin permissions required to authorize the M365 tenant to the new application. You need to go back and select an account that has administrator permissions in the tenant that you’re trying to migrate.