Microsoft has announced the formal retirement of Exchange Web Services (EWS) for Exchange Online. To ensure our customers experience zero disruption in service—particularly for advanced features like Distribution List (DL) expansion—ContactMonkey is proactively migrating to the new Exchange Online Admin API.
⚠️ Important: The Microsoft Graph integration is also migrating to a new permission. If your organization uses this expansion method, please follow the steps here to complete that update separately.
What is happening with EWS?
Microsoft is phasing out legacy EWS in favour of more secure, modern REST-based APIs.
- When: Starting October 1, 2026, Microsoft will begin blocking EWS requests in Exchange Online. See Microsoft Blog post here: https://techcommunity.microsoft.com/blog/exchange/exchange-online-ews-your-time-is-almost-up/4492361
- Impact: Any integration relying solely on legacy EWS will eventually stop functioning for tasks like resolving recipient counts or expanding dynamic groups.
What is the Exchange Online Admin API, and how does it replace EWS?
The Exchange Online Admin API is a modern interface designed to handle specific administrative tasks that were previously only possible through EWS or PowerShell.
How ContactMonkey uses it:
We utilize this API to maintain high-performance directory features, including:
- Distribution Group Expansion: Accurately expanding and counting memberships for both standard and dynamic distribution groups.
- Mailbox & Group Insights: Viewing mailbox properties and group memberships to ensure your emails reach the right recipients.
- Read-Only Access: This API allows us to perform these checks with the minimum permissions required, adhering to security best practices.
Completing the steps below ensures you are proactively migrating to a modern interface for high-performance features like Distribution Group Expansion and Mailbox Insights.
Actions Required to Prepare Your Tenant:
1. Assign the RBAC Role (Exchange Admin)
To ensure the API can read the necessary group data, the service account requires the following Role-Based Access Control (RBAC) role assigned within the Exchange Admin Center:
-
Role:
View-Only Organization Management
Before granting API access, you must ensure the service account has read-only access to Exchange data. A ContactMonkey Admin or Owner can go to Settings → Integrations to see which account is being used for other Utility integrations.
- Open the Exchange Admin Center
- Navigate to Roles → Admin roles
- Search for and select View-Only Organization Management
- Click the Assigned tab, search for and add your Service Account
Learn more about Role-based Permissions on Exchange Online.
Note: This is a read-only role. It allows ContactMonkey to see mailbox and group memberships but does not grant permission to modify settings, delete data, or read email content.
2. Update API Permission (IT Admin)
Your IT Administrator must update the ContactMonkey app registration in the Microsoft Entra ID (Azure AD) portal with the following scopes:
| API Resource | Permission Type | Scope |
| Office 365 Exchange Online | Delegated | Exchange.ManageV2 |
To enable the Exchange.ManageV2 permission, please use the Admin Consent URL for the region your ContactMonkey data is stored in:
3. Account Connection
To initialize the connection, a ContactMonkey admin must navigate to Settings → Integrations:
- Exchange Admin Utility Account: Locate this new tile and click "Sign In" to initialize the new API connection.