Change to Dedicated Exchange Hybrid App Paves Way to Graph APIs

I don’t know why Microsoft publishes important information at the start of a holiday weekend when the distraction level is high, but that’s just what they did when making a critical announcement for organizations running hybrid Exchange. As it turns out, the announcement is linked to the April 2025 Exchange Server hotfix update (HU), but I think releasing both pieces of news would have been fine once everyone was back at work after the Easter break.

The announcement outlines how Exchange hybrid configurations are dropping Exchange Web Services (EWS) in a two-phase process beginning with the release of the April 2025 HU. It’s part of the strategy to retire EWS from Exchange Online in October 2026.

Preserving Rich Coexistence

In a hybrid organization, Exchange Online uses EWS for “rich coexistence.” In other words, Exchange Online issues EWS commands to fetch free/busy data, mail tips, and user profile pictures for on-premises mailboxes. The EWS requests to fetch data are made by a first-party Microsoft enterprise app called Office 365 Exchange Online, which is present in every tenant that uses Exchange Online. Requests from Teams to fetch similar data for on-premises mailboxes also flow through the Office 365 Exchange Online app.

Microsoft’s announcement says that the Office 365 Exchange Online app is created by the Hybrid Configuration Wizard (HCW). HCW certainly updates the app’s service principal, but the app itself isn’t tied to HCW. For example, one use of the app is to hold Exchange Online permissions that can be assigned to other service principals, such as when an Azure Automation account needs to run Exchange Online PowerShell cmdlets.

Microsoft wants to remove EWS. However, instead of using another first party enterprise app that’s controlled and managed by Microsoft, tenants are required to create an Entra ID registered app. Like any other Entra ID app, the app (with a display name of ExchangeServerApp-{organization identifier) can hold the Graph permissions needed to access mailbox and other data. Or rather, the app’s service principal can hold the permissions. Microsoft calls this app the “dedicated Exchange hybrid app.”

When first presented with the idea that tenants had to create individual apps, my response was that it should surely be easier for all to have a dedicated first party app where Microsoft manages the app and its permissions. In their text, Microsoft justifies their decision as follows:

Consider the upcoming shift from EWS to Graph API calls: adjustments to the application will be necessary (for example, updating API permissions). A dedicated customer application allows customers to choose when they want to transition from EWS API permissions to Graph API permissions.

The reason why a tenant-specific registered app is used is therefore to allow individual customers to choose when they move from EWS to Graph API. This is valid and I can see how the flexibility to move at the time of a customer’s choosing is useful. It seems like Microsoft is saing that a centrally-managed enterprise app can’t be used because of the requirement to switch permissions from EWS to Graph. However, there’s nothing to stop an enterprise app holding both EWS and Graph permissions for a period after which the EWS permission is removed. That ship has sailed and the registered app is the way forward.

Step One: Switch Apps

The first step in the process requires tenants to apply the April 2025 HU. After updating servers, tenants can run the ConfigureExchangeHybridApplication.ps1 script to switch their configuration from the current setup to the dedicated Exchange hybrid app. The script is run once per organization. After switching, EWS is still used, but it’s routed through the dedicated Exchange hybrid app rather than the Office 365 Exchange Online app.

Microsoft says that they plan to release an updated version of the HCW in the second quarter of 2025 (soon). If a tenant runs the updated HCW, it will switch the apps.

Step Two: Switch to Graph

The second step depends on availability of Graph API support for coexistence with Exchange Server. When the software is available, tenants must apply server updates to enable servers to respond to Graph API requests. Being able to handle Graph requests for mailbox data is not the same as the wider and deeper Graph access available within Microsoft 365.

After upgrading servers, tenants can run the script again to switch the dedicated Exchange hybrid app from EWS permissions (which essentially allow unfettered access to mailboxes) to a set of more granular Graph permissions that limit the app to more precise and restricted access. The elimination of the broad access to mailboxes enjoyed by EWS is one of the primary driving factors behind the desire to retire EWS from Exchange Online. This phase must be completed by 1 October 2026 (Figure 1). If not, rich co-existence will stop working.

Take Your Time

Before doing anything, I suggest you read the announcement, hot fix information, and installation notes for the script. Reviewing the PowerShell code in the script will also help you to understand what it does in different modes.

After applying the April 2025 hotfixes, the next decision is when to switch to the dedicated app. I don’t see any reason why not to switch immediately. The bigger decision is when to switch the app to using Graph permissions rather than EWS. This is likely something that you’ll want to do during a scheduled server maintenance period towards the end of 2025, after making sure that everything works well in a test organization of course.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.