# Migration Guide: Exchange Web Services (EWS) to Microsoft Graph API

> [Microsoft is deprecating the Exchange Web Services (EWS) API](https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-ews-exchange-online), with full disablement scheduled for October 2026.

## Overview

[Microsoft is deprecating the Exchange Web Services (EWS) API](https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-ews-exchange-online), with full disablement scheduled for October 2026.

You must migrate all Exchange integrations that currently use EWS to the Microsoft Graph API to make sure that these continue to function.

## Prerequisites

Before you start the migration, make sure you meet the following requirements:

* **Azure Portal access**: Administrative access to the [Azure portal](https://portal.azure.com/) of your organization.
* **Permissions**: The ability to register applications and grant admin consent in Azure AD.
* **Integration access**: Administrative access to your Communications Mining integrations.
* **Mailbox information**: List of all mailboxes currently connected via EWS integrations.

## Migration process

### Step 1: Identify your current EWS integrations

1. Log into Communications Mining through IXP in Automation Cloud.
2. Navigate to **Settings**, then to the **Integrations** tab.
3. Document all existing Exchange integrations, including:
   * Integration names
   * Connected mailboxes
   * Associated projects

### Step 2: Register an Azure application

If you have not already created an Azure application for Graph API access, apply the following steps:

#### 2.1 Create the application registration

1. Sign into your [Azure portal](https://portal.azure.com/).
2. Navigate to **App Registrations** and select **New Registration**.

   ![App registrations](https://dev-assets.cms.uipath.com/assets/images/ixp/ixp-app-registrations-497027-9b0057d2.webp)
   
4. Configure the application as follows:
   * **Name**: Use a descriptive name, for example, `uipath-exchange-graph-integration`.
   * **Supported account types**: Select **Accounts in this organizational directory only (Single tenant)**.
5. Select **Register**.
6. Note down the following values from the application overview page:
   * **Application (client) ID**
   * **Directory (tenant) ID**

#### 2.2 Create a client secret

1. In your application, select **Certificates & secrets** from the left menu.
2. Under **Client secrets**, select **New client secret**.

   ![new client secret](https://dev-assets.cms.uipath.com/assets/images/ixp/ixp-new-client-secret-497039-c23e96fe.webp)
   
4. This opens the **Add a client secret** sidepanel. Configure the secret:
   * **Description**: Enter a meaningful description, for example, `Exchange Graph Integration Secret`.
   * **Expires**: Select an expiration period. The recommended option is 12 or 24 months.
5. Select **Add**.
6. Immediately copy the secret **Value** and store it securely.

   ![client secrets](https://dev-assets.cms.uipath.com/assets/images/ixp/ixp-client-secrets-497047-93e35dd4.webp)

:::note
Azure displays the secret value only once. If you lose it, you must create a new secret.
:::

#### 2.3 Set API permissions for Microsoft Graph

1. Select **API permissions** from the left menu.
2. Select **Add a permission**.

   ![add a permission](https://dev-assets.cms.uipath.com/assets/images/ixp/ixp-add-a-permission-497051-42f7d311.webp)
   
4. Select **Microsoft Graph** under the **Microsoft APIs** tab.

   ![The image shows the options under the Microsoft APIs tab, with a highlight on the Microsoft Graph.](https://dev-assets.cms.uipath.com/assets/images/ixp/ixp-the-image-shows-the-options-under-the-microsoft-apis-tab-with-a-highlight-on-the-microsoft-graph-550214-9a1efbca.webp)
   
6. Select **Application permissions**.

   ![The image shows the permission options of Microsoft Graph highlighting the Application permissions option.](https://dev-assets.cms.uipath.com/assets/images/ixp/ixp-the-image-shows-the-permission-options-of-microsoft-graph-highlighting-the-application-permissions-option-560587-7f957155.webp)
   
8. Expand **Mail** and select **Mail.Read**.

   ![The image shows the page for selecting a permission, highlighting the Mail.Read permission.](https://dev-assets.cms.uipath.com/assets/images/ixp/ixp-the-image-shows-the-page-for-selecting-a-permission-highlighting-the-mail-read-permission-560594-2134c424.webp)
   
10. Select **Add permissions**.
11. Select **Add a permission** again, then select **Microsoft Graph** → **Application permissions**.
12. Expand **MailboxSettings** and select **MailboxFolder.Read.All**.

   ![The image shows the page for selecting a permisson, highlighting the MailboxFolder.Read.All permission.](https://dev-assets.cms.uipath.com/assets/images/ixp/ixp-the-image-shows-the-page-for-selecting-a-permisson-highlighting-the-mailboxfolder-read-all-permission-550222-c3055057.webp)
   
11. Select **Add permissions**.
12. Returning to the **API permissions** menu, select **Grant admin consent for [Your Organization]**.
13. Select **Yes** in the confirmation dialog.

    ![admin consent](https://dev-assets.cms.uipath.com/assets/images/ixp/ixp-admin-consent-571998-ba6851e0.webp)

Your configured permissions should show:

* `Mail.Read` (Application) — green checkmark under **Status**.
* `MailboxFolder.Read.All` (Application) — green checkmark under **Status**.

#### 2.4 Restrict mailbox access (recommended)

For enhanced security, limit the application to access only the required mailboxes. Make sure you follow the Microsoft guide: [Limiting application permissions to specific Exchange Online mailboxes](https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access).

### Step 3: Test your Graph API credentials (recommended)

Before updating your production integrations, test the new Graph API credentials in a separate test integration first.

1. Go to Communications Mining in IXP in Automation Cloud.
2. Navigate to **Settings** → **Integrations** tab.
3. Select **New integration**.
4. Configure the test integration:
   * Select a test project.
   * Enter a clear test name, for example, `Exchange Graph Test` or `[Production Name] - Test`.
5. Fill in the credentials from Step 2:
   * **OAuth Authority**: `https://login.microsoftonline.com/{tenant_id}`
   * **OAuth Client ID**: Your Application (client) ID.
   * **Client Secret**: Your client secret value.
   * **Authentication Method**: Select **With application access**.
   * **API Version**: Select **Microsoft Graph**.
6. Select **Validate and save credentials**.
7. Add the mailboxes used in your production integration. Use a recent start timestamp to limit the amount of data synced initially.
8. Select **Create Integration**.
9. Wait 15–30 minutes for the first sync to complete, then verify that emails are syncing successfully and that no error messages appear on the integration status page.

Once confirmed, proceed to update your production integrations.

### Step 4: Back up your current EWS configuration

Before modifying your production integration, record your current EWS credentials and connection details. This allows you to revert if needed, as credential changes cannot be undone within the platform.

### Step 5: Update your production integration

:::info
If you need to revert, edit the integration and switch the credentials back to your EWS details.
:::

1. Go to Communications Mining in IXP in Automation Cloud.
2. Navigate to **Settings**, then to the **Integrations** tab.
3. Locate the production integration you want to migrate and open its settings.
4. Select the **Credentials** tab, then select **Change Credentials**.
5. Update the following fields:
   * **OAuth Authority**: `https://login.microsoftonline.com/{tenant_id}` — replace `{tenant_id}` with your Azure Directory (tenant) ID.
   * **OAuth Client ID**: Your Application (client) ID.
   * **Client Secret**: Your client secret value.
   * **Authentication Method**: Select **With application access**.
   * **API Version**: Select **Microsoft Graph**.
6. Select **Validate and save credentials** to verify your configuration.

   :::note
   If validation fails, double-check your tenant ID, client ID, and client secret. Ensure admin consent was granted for the API permissions.
   :::
   
8. Select **Save** or **Continue** to apply the updated configuration.
9. Monitor the integration for at least one hour to confirm stable operation and successful email sync.

### Step 6: Update remaining integrations

Repeat Steps 3–5 for each remaining EWS integration in your organization.