Skip to content

Migration from EWS delegated to Microsoft Graph application-only access

For users of the Email Sidebar on:

5 min read

Introduction

Microsoft has announced the retirement of the ApplicationImpersonation RBAC role in Exchange Online. As a result, delegated authentication for accounts with impersonation permissions will no longer be supported starting February 2025.

To ensure long-term compatibility with RG Email Sidebar and Sync Engine, we recommend transitioning from EWS delegated access to one of the following connection types:

  • Application-only (app-only) access for EWS
  • Application-only (app-only) access for Microsoft Graph

The choice of connection type depends on the systems and services your organization relies on. Both options provide secure, scalable access to corporate mailboxes and comply with Microsoft’s modern authentication standards. For more information, see Authentication differences between Exchange Web Services (EWS) and Microsoft Graph.

This guide focuses on configuring app-only access for Microsoft Graph, ensuring secure, seamless, and future-ready integration with RG Email Sidebar and Sync Engine.

Application-only vs. delegated connection type

Delegated access: With delegated access, the app acts on behalf of a user. When a user logs into the app and accesses a resource (e.g., the MS Graph API), the app “borrows” the user’s identity and permissions to perform actions.

Application-only access: With app-only access, the app uses its own identity to access resources directly. It does not rely on individual user credentials or permissions and operates independently. Admin authorization is required to grant access, and the app’s permissions are not limited to any single user’s scope.

In simple terms:

  • Application-only access gives the app its own master key to access resources.
  • Delegated access allows the app to use individual keys tied to each user.

Note

For more information, see:

Prerequisites

Before migrating to Microsoft Graph application-only access, ensure you have the following:

  1. Microsoft Entra admin access: Administrative access to the Microsoft Entra admin center (formerly Azure AD portal) to register and grant permissions for the RG application.
  2. Admin access to the RG admin panel: Platform administrator or profile administrator rights to complete the configuration.

Migration guide

To migrate from EWS delegated to Microsoft Graph app-only access for RG Email Sidebar and Sync Engine, follow these steps:

  1. Log in to the RG Admin Panel and open the Profiles tab.

  2. Locate your profile, open it, and go to the Connectivity subtab.

  3. In the Email configuration section, in the Mailbox access type menu, select Microsoft 365 OAuth (Graph API) - App-Only logon.

  4. Click Connect account. This will open the Office 365 OAuth dialogue.

  5. Enter the Microsoft 365 admin credentials to grant permissions for Microsoft Graph app-only access.

  6. In the permissions authorization dialog, click Accept to confirm. Once successful, the Email configuration widget will display Connected.

    Note

    Once you accept the permissions request, the Revenue Grid (formerly Revenue Inbox) application is automatically registered in your Microsoft 365 tenant with the required permissions. You can manage these permissions in the Microsoft Entra admin center. For detailed instructions on configuring permissions, refer to Grant tenant-wide admin consent to an application.

  7. In the Email configuration section, click Check users’ impersonated access to verify connectivity.

All user accounts assigned to the profile will now be reconfigured to use Microsoft Graph app-only access. A list showing each user’s connection status will appear.

Troubleshooting

If mailbox authentication issues occur after migration, ensure the connectivity verification step has been completed:

  1. Open the Connectivity subtab.
  2. Click Check users’ impersonated access in the Email configuration widget.

If the issue persists, contact our support team for further assistance.

FAQs

Will this change affect user experience?

No, switching to Microsoft Graph app-only access will not impact the end-user experience. RG Email Sidebar and Sync Engine will continue to function seamlessly, providing access to emails, calendars, and other Microsoft 365 resources. The change only affects how the application connects to Microsoft 365 on the back end, improving security and scalability.

How does this impact security?

Switching to app-only access improves security by eliminating the need for user credentials and impersonation rights. The app operates using its own identity, reducing the risk of unauthorized access and aligning with Microsoft’s modern authentication standards.

Can I switch back to EWS impersonation?

No, while the retirement of the ApplicationImpersonation RBAC role in Exchange Online allows EWS impersonation to remain available until February 2025, RG Email Sidebar and Sync Engine do not currently support migrating from MS Graph back to an EWS connection.

If you need to return to EWS delegated access and do not have any custom configurations on your profile, we recommend:

  • Deleting the current MS Graph profile.
  • Creating a new profile with the EWS delegated connection type.
  • Reprovisioning users to the new profile.

For detailed instructions, see How to set up sync via impersonation & configure user mailboxes.

If you have custom configurations on your profile, please contact our support team for assistance before taking any action.

See also