Skip to content

Migration from delegated to application-only access for Exchange Web Services (EWS)

5 min read · For Email Sidebar users on:

Introduction

Microsoft has announced the retirement of the ApplicationImpersonation RBAC role in Exchange Online. As a result, delegated authentication for accounts with impersonation permissions will no longer be supported starting February 2025.

To ensure long-term compatibility with RG Email Sidebar and Sync Engine, we recommend transitioning from EWS delegated access to one of the following connection types:

  • Application-only (app-only) access for EWS
  • Application-only (app-only) access for MS Graph

The choice of connection type depends on your organization’s needs. Both options provide secure, scalable access to corporate mailboxes and align with Microsoft’s modern authentication standards. For details, see Authentication differences between Exchange Web Services (EWS) and Microsoft Graph.

This guide focuses on configuring app-only access for EWS to enable secure, seamless, and future-proof integration with RG Email Sidebar and Sync Engine.

Note

Only users with an existing EWS connection type (e.g., end-user or delegated connection) can migrate to EWS application-only access. Migration from MS Graph to EWS is not currently supported.

If you need to migrate from MS Graph to EWS and have no custom configurations on your profile, we recommend deleting the current profile, creating a new one with the EWS app-only connection type, and reprovisioning users. For instructions, see How to configure mailbox access using EWS application-only connection.

If you have custom configurations, please contact our support team before proceeding.

Application-only vs. delegated connection type

Delegated access: With delegated access, the app acts on behalf of a user. When a user signs in and accesses a resource (like the EWS API), the app uses that user’s credentials and permissions to perform actions.

Application-only access: With app-only access, the app uses its own identity to access resources directly. It doesn’t rely on individual user credentials and operates independently. Admin authorization is required to grant access, and the app’s permissions are not limited to any single user’s scope.

In simple terms, application-only access gives the app its own master key to access resources, while delegated access lets the app temporarily use individual keys tied to each user.

Note

For more information, see:

Prerequisites

Before migrating to the EWS application-only connection type, ensure the following:

  1. Microsoft Entra admin access: Administrative access to the Microsoft Entra admin center (formerly Azure AD portal) to register and manage the RG application permissions.
  2. RG admin panel access: Platform administrator or profile administrator access to complete the configuration.

Migration guide

To migrate from EWS delegated to EWS app-only access for RG Email Sidebar and Sync Engine, follow these steps:

  1. Log in to the RG Admin Panel and open the Profiles tab.

  2. Locate your profile, open it, and navigate to the Connectivity subtab.

  3. In the Email configuration section, in the Mailbox access type menu, select Microsoft 365 OAuth (EWS API) - App-Only logon.

  4. Click Connect account. This will open the Microsoft 365 OAuth dialogue.

  5. Enter the Microsoft 365 admin credentials to grant permissions for EWS app-only access.

  6. In the permissions authorization dialog, click Accept to confirm. If the connection is successful, the mailbox connectivity status in the Email configuration widget will update to Connected.

Note

Once you accept the permissions request, the Revenue Grid (formerly Revenue Inbox) application is automatically registered in your Microsoft 365 tenant with the required permissions. You can manage these permissions in the Microsoft Entra admin center. For detailed instructions on configuring permissions, refer to Grant tenant-wide admin consent to an application.

  1. In the Email configuration widget, click Check users’ impersonated access to verify the connection.

All user accounts assigned to the profile will now be reconfigured to use EWS app-only access. A list showing each user’s connection status will appear.

Troubleshooting

If mailbox authentication issues occur after migration, ensure the connectivity verification step is completed:

  1. Go to the Connectivity subtab.
  2. Click Check users’ impersonated access in the Email configuration widget.

If the issue persists, please contact our support team for further assistance.

FAQs

Will this change affect user experience?

No, switching to the EWS app-only connection type does not impact the end-user experience. RG Email Sidebar and Sync Engine will continue to function as before. The change only affects how the app connects to the mail server, making the process more secure and compliant.

How does this impact security?

App-only access eliminates the need for user credentials and impersonation rights. The app uses its own identity to access resources, reducing security risks and aligning with Microsoft’s modern authentication standards.

Can I switch back to EWS impersonation?

Reverting EWS impersonation is technically possible until February 2025, but we do not recommend it. Microsoft will retire the ApplicationImpersonation RBAC role, and support for delegated access will end. Transitioning to app-only access ensures long-term security and compatibility.

See also