Skip to main content
  1. ContactMonkey Help Center
  2. Integrations
  3. Distribution List Expansion

Migrating to GroupMember.Read.All and the Exchange Online Admin API

Microsoft has announced the formal retirement of Exchange Web Services (EWS) for Exchange Online. To ensure our customers experience zero disruption in service—particularly for advanced features like Distribution List (DL) expansion—ContactMonkey is proactively migrating to the new Exchange Online Admin API.

We are also significantly reducing our Microsoft Graph access from broad directory permissions (Directory.Read.All) to targeted group membership access (GroupMember.Read.All). This ensures ContactMonkey only accesses the specific data required for your distribution list expansions.

What is happening with EWS?

Microsoft is phasing out legacy EWS in favour of more secure, modern REST-based APIs.

How we are mitigating this

ContactMonkey is implementing support for the Exchange Online Admin API. By performing a re-authentication now, you are proactively preparing your tenant for this transition. While this API is currently in a preview phase, this step ensures your organization is positioned for a seamless migration once the full version is released.

What is the Exchange Online Admin API?

The Exchange Online Admin API is a modern interface designed to handle specific administrative tasks that were previously only possible through EWS or PowerShell.

How ContactMonkey uses it:

We utilize this API to maintain high-performance directory features, including:

  • Distribution Group Expansion: Accurately expanding and counting memberships for both standard and dynamic distribution groups.
  • Mailbox & Group Insights: Viewing mailbox properties and group memberships to ensure your emails reach the right recipients.
  • Read-Only Access: This API allows us to perform these checks with the minimum permissions required, adhering to security best practices.

Steps to Prepare Your Tenant

To enable this transition, your IT team will need to grant a specific permission and assign a read-only role to the service account used for the integration.

1. Assign the RBAC Role (Exchange Admin)

To ensure the API can read the necessary group data, the service account requires the following Role-Based Access Control (RBAC) role assigned within the Exchange Admin Center:

  • Role: View-Only Organization Management

Assign View-Only Exchange Role

Before granting API access, you must ensure the service account has read-only access to Exchange data.

  1. Open the Exchange Admin Center.
  2. Navigate to Roles > Admin roles.
  3. Search for and select View-Only Organization Management.
  4. Click the Assigned tab, search for and add your Service Account.

Learn more about Role-based Permissions on Exchange Online.

Note: This is a read-only role. It allows ContactMonkey to see mailbox and group memberships but does not grant permission to modify settings, delete data, or read email content.

2. Update API Permissions (IT Admin)

Your IT Administrator must update the ContactMonkey app registration in the Microsoft Entra ID (Azure AD) portal with the following scope:

API Resource Permission Type Scope
Office 365 Exchange Online Delegated Exchange.ManageV2
Microsoft Graph Delegated GroupMember.Read.All

To enable the Exchange.ManageV2 permission, please use the Admin Consent URL for the region your ContactMonkey data is stored in:

  1. US Region
  2. CA Region
  3. EU Region
  4. AU Region

Alternatively, follow the steps below to manually add the Exchange.ManageV2 and GroupMember.Read.All permissions in your Entra ID admin portal:

  1. Go to the Microsoft Entra admin center and sign in with your Global Administrator or Privileged Role Administrator credentials.
  2. On the left sidebar, navigate to Entra ID > App registrations.
    1. Select the All applications tab and search for the ContactMonkey application.
    2. Click on it to open its overview page.
  3. In the left-hand menu of the application page, click on API permissions.
    1. Click the + Add a permission button.
    2. In the "Request API permissions" pane, look for the APIs my organization uses tab.
  4. For Graph: Select Microsoft Graph (since GroupMember.Read.All is a Graph permission)
    1. Choose Delegated permissions.
    2. Search for GroupMember.Read.All in the search box.
    3. Check the box next to it and click Add permissions.
    4. Then back on the API permissions page, click Grant admin consent for [Your Organization Name] and confirm.
  5. For Exchange Admin: Search for Office 365 Exchange Online and select it.
    1. If you don't see Office 365 Exchange Online in the immediate list of APIs, it's usually because it is tucked away in a specific tab or requires a search for its Resource ID.
      1. Try searching for the Application ID directly: 00000002-0000-0ff1-ce00-000000000000.
    2. Select Delegated permissions. In the search box, type Exchange.ManageV2.
    3. Check the box next to that permission and click Add permissions at the bottom.
    4. Once added, you will see the permission listed, but it may have a status of "Not granted."
      1. Click the button that says Grant admin consent for [Your Organization Name].
      2. Select Yes to confirm. The status should now show a checkmark.

3. ContactMonkey "Flips the Switch"

Once administrative consent is granted, contact our Support team at support@contactmonkey.com. They will manually disable the legacy Directory.Read.All permission for your account.

  • Note: This step must be completed before Step 4 can take place.

4. Account Reconnection

Once Support confirms the change from Step 3, a ContactMonkey admin must navigate back to Settings → Integrations:

  1. Graph Utility Tile: Click "Sign Out," then "Connect" again.
  2. Exchange Admin Utility Tile: Locate this new tile (beside the EWS tile) and click "Sign In" to initialize the new API connection.

See Also

Was this article helpful?