For Dynamics 365 CE on-premises customers using Exchange Online
When EWS is disabled, the Outlook server profile in your on-premises CE organisation can no longer reach Exchange Online mailboxes. We replace the EWS layer with a Microsoft Graph bridge — same end-user experience, modern auth, no ACS.
Fixed-price, scoped after a 30-minute conversation. Refunded in full if our findings show you don't need the bridge.
Is this you?
You run Dynamics 365 Customer Engagement on-premises (v8.x or v9.x), not Dynamics 365 Online.
Your mailboxes are in Exchange Online or Microsoft 365, connected to CE via the Outlook server profile and server-side sync.
A full migration to Dynamics 365 Online before 1 October 2026 is not realistic — because of customisation depth, regulatory scope, integration sprawl, or change-freeze windows.
If any of those three are not true, this service is not for you, and we will say so on the call. The honest answer is sometimes “migrate to Dynamics 365 Online now” — and we will tell you when it is.
The stakes
Microsoft has confirmed a phased disablement of Exchange Web Services beginning 1 October 2026, with permanent shutdown on 1 April 2027 (Microsoft Learn — Deprecation of Exchange Web Services in Exchange Online(opens in a new tab)). The Outlook server profile that connects on-premises CE to Exchange Online uses EWS. When EWS is disabled, that profile stops working.
CRM looks broken to end users. Tracked emails stop appearing in timelines. New activities don’t post to records.
Sales pipeline visibility degrades within hours. Account managers lose conversational context on live deals.
Appointments and contacts no longer sync between Outlook and CE.
Diary conflicts, missed customer meetings, double-booking on field-service jobs.
Queues stop receiving inbound email. Case creation, complaints intake and shared-mailbox routing all fail silently.
SLA breaches in regulated workflows (FCA complaints, NHS PALS, public-sector FOI).
Server-side sync errors flood the system jobs queue. Admins see thousands of failed jobs with no easy recovery path.
Operations teams chase ghosts. CRM owner is publicly accountable for an outage they did not cause.
No first-party Microsoft replacement exists for on-premises CE → Exchange Online server-side sync. Microsoft’s stated path is migration to Dynamics 365 Online.
If a full migration is not feasible in your window, the default position is “do nothing and break”.
Dates per Microsoft Learn, Deprecation of Exchange Web Services in Exchange Online, and Connect Exchange Online to Dynamics 365 Customer Engagement (on-premises). Microsoft’s verbatim guidance: “If you need server-side synchronization functionality, we recommend that you migrate to Dynamics 365 Online.”
Honest comparison
There are four credible responses to the EWS deadline. Three of them are not us. Here is an honest comparison.
Path
a) Full migration to Dynamics 365 Online
Microsoft’s recommended path
Effort
Very highRisk
Mediumbut well-trodden
Cost
High capex, lower run-cost long-term; BTC3 30% discount available 1 Jan 2026 – 31 Dec 2027
Disruption
6–18 months of programme work; data, customisations, integrations, training, change freezes
When it makes sense
You were going to migrate within 18 months anyway, customisations are tractable, and the business case clears procurement before mid-2026.
Path
b) Move mailboxes back on-premises (Exchange Server SE)
Effort
MediumRisk
Highreverses your Microsoft 365 strategy; Exchange SE has its own lifecycle and security obligations
Cost
Capex on Exchange SE infrastructure plus operational overhead
Disruption
Mailbox migration project, user impact during cutover, hybrid coexistence
When it makes sense
Almost never. We have not yet seen a UK customer for whom this is the right answer. Listed for completeness.
Path
c) AppID Allow List as a stopgap
Effort
LowRisk
HighMicrosoft has been explicit this is not a long-term route; final shutdown is 1 April 2027 with no exceptions
Cost
Low cash cost; high optionality cost
Disruption
Minimal in the short term; cliff edge in 2027
When it makes sense
You have a confirmed migration cutover before March 2027 and need 4–8 months of breathing room. Not a destination.
Path
d) The Graph middleware bridge (Mailspan)
Effort
Low–mediumRisk
Lowproductised, fixed-price, named-consultant delivery
Cost
Fixed-price assessment; fixed-price Statement of Work for build and deploy; predictable annual managed service
Disruption
5-day assessment; banded build of 4–10 weeks; parallel-run cutover with documented rollback
When it makes sense
You need server-side sync to keep working past 1 October 2026, full migration is not realistic in your window, and you want a defined exit when you do migrate.
If path (a) is realistic for you in the time available, it is the right answer and we will tell you so on the assessment call. The bridge exists for organisations where (a) is not realistic, (b) is the wrong direction, and (c) is not a strategy.
How the bridge works
The bridge is a small, audited middleware that terminates the EWS dependency on the Dynamics side and makes Microsoft Graph calls against Exchange Online on the other. The end-user experience is unchanged. The customisations stay. The Outlook server profile is replaced.
Dynamics 365 CE on-premises (v9.x)
System jobs · Server-side sync engine · Mailbox records · Queues · Tracking rules
Mailspan Graph bridge
Auth
OAuth 2.0 · per-mailbox delegated or app-only · granular RBAC
Translator
EWS-shaped requests → Microsoft Graph calls
Audit
Append-only · 13-month retention · SIEM export
Microsoft Graph
Microsoft 365 API surface · OAuth 2.0 · Entra ID
Exchange Online mailboxes
UK / EU tenant · existing user mailboxes · unchanged folder structure
No ACS tokens · No ApplicationImpersonation · No mailbox data persisted in the bridge
FindItem, CreateItem, SyncFolderItems, GetStreamingEvents)// Before — EWS FindItem (deprecated; endpoint disabled from 1 October 2026)
var view = new ItemView(50);
var results = exchangeService.FindItems(
WellKnownFolderName.Inbox,
new SearchFilter.IsGreaterThan(ItemSchema.DateTimeReceived, since),
view);
// After — Microsoft Graph equivalent via Mailspan bridge
var messages = await graphClient
.Users[mailboxUpn]
.MailFolders["Inbox"]
.Messages
.GetAsync(r => {
r.QueryParameters.Filter = $"receivedDateTime gt {since:o}";
r.QueryParameters.Top = 50;
r.QueryParameters.Select = new[] { "id", "subject", "from", "receivedDateTime", "internetMessageId" };
});Data residency. All bridge components are deployed in UK South only. No mailbox content is persisted by the bridge. The append-only audit log records metadata (mailbox UPN, item ID, operation, timestamp, status) for 13 months, exportable to your SIEM.
Authentication. OAuth 2.0 with Microsoft Entra ID. App-only access with
granular per-mailbox permissions via ApplicationAccessPolicy, or delegated
where required. No ACS. No ApplicationImpersonation. No client secrets in
source — workload identity federation or certificate-based credentials only.
Risk calculator
A two-minute self-assessment. No email required to see the result. We do not store your answers — the calculation runs entirely in your browser.
Engagement model
Three fixed-price tiers. The first one tells you whether you need the second. The second produces a working bridge. The third keeps it working as Microsoft Graph evolves.
Tier 1
Fixed-price, five working days, named consultant on-site or remote. Scoped after a 30-minute scoping conversation.
Deliverables
Refund commitment. If the assessment concludes you do not need the middleware bridge — for example, because a full Dynamics 365 Online migration is realistic in your window, or because your CE estate is already on a path that resolves the EWS dependency — the assessment fee is refunded in full.
Tier 2
Fixed-price, scoped after assessment. Banded by mailbox count (under 500 / 500–2,000 / 2,000–10,000 / over 10,000) and by integration complexity.
Includes
ApplicationAccessPolicy configuration.Tier 3
Annual, fixed-price, scoped after build. Renewable.
Includes
All three tiers are fixed-price, scoped after assessment. No prices are published on this page. We send a costed Statement of Work after the 30-minute scoping conversation.
FAQ
Sometimes that is the right answer and we will say so during the assessment. For organisations where it is not realistic before 1 October 2026 — because of customisation depth, regulatory scope, integration sprawl, change freezes, or simply because the business case has not cleared procurement — the bridge keeps server-side sync working until you are ready. Microsoft’s verbatim guidance on the relevant Learn page is: “If you need server-side synchronization functionality, we recommend that you migrate to Dynamics 365 Online.” That recommendation is correct. It is also not always feasible in 18 months.
Possibly, but not safely planned for. Microsoft’s Exchange team blog states: “There will be no exceptions past April 2027.” The phased disablement still begins 1 October 2026 and the AppID allow list is explicitly framed as a temporary tool, not a delay. Planning for a slip is a strategy that survives only if the slip arrives.
It is whichever you need it to be. Some customers run the bridge for 18 months as a runway to Dynamics 365 Online. Others run it for the foreseeable life of their on-premises CE estate. The managed service is renewable annually with a documented exit at every renewal point.
The bridge is deployed in UK South only. Mailbox content is not persisted by the bridge — calls are translated and forwarded to Microsoft Graph in-flight. The append-only audit log records metadata only (mailbox UPN, item ID, operation, timestamp, status), retained for 13 months, exportable to your SIEM.
We assess each ISV in scope during the Tier 1 engagement. ClickDimensions and Resco both have documented Graph-based or modern-auth paths; Riva is itself a sync product and follows a different track. Where an ISV uses the same Outlook server profile, the bridge usually covers it transparently; where it uses its own EWS connection, we configure parallel Graph permissions and document the ISV-specific cutover steps in the runbook.
Three protections, written into the Statement of Work. First, the bridge is delivered source-available to you under licence — not as a black box. Second, a full operational runbook is handed over at go-live, sufficient for a competent Microsoft partner or in-house team to operate it. Third, source code and build artefacts are held in escrow with a UK provider; trigger events include insolvency, sustained breach, and discontinuation of the product. We will share the escrow agreement template before contract signature.
Yes. The bridge mediates the path between CE on-premises and Exchange Online mailboxes. Mailboxes that remain on an on-premises Exchange server are not affected by the EWS retirement and are routed via the existing on-premises Exchange path. Hybrid topologies are explicitly in scope and are covered in the assessment.
It should not. Tracked emails continue to appear on timelines. Appointment sync continues. Queues continue to receive inbound email. The bridge replaces the Outlook server profile and the EWS layer; it does not change the user-facing surface area of CE or Outlook.
Five working days of named-consultant work, ending in: a written environment audit, a risk register mapped to 1 October 2026 and 1 April 2027, a two-path recommendation (bridge or migrate) costed in bands, a draft fixed-price Statement of Work for the recommended path, and a live walkthrough. If the conclusion is that you do not need the bridge, the assessment fee is refunded in full.
Yes, and we will help you do so where it applies. Bridge to Cloud 3 runs 1 January 2026 – 31 December 2027 and offers a 30% discount on Dynamics 365 Online licences over a three-year term — which materially changes the business case for full migration. The AIM programme funds migration assessments and accelerator engagements. Both apply to the migration path; neither funds the bridge itself directly, but together they often make the “bridge now, migrate when ready” framework cleaner to finance.
Correct, and the bridge does not use ACS. All authentication is OAuth 2.0 against Microsoft Entra ID, using app-only access with granular per-mailbox ApplicationAccessPolicy scoping, or delegated access where required. No ACS tokens. No ApplicationImpersonation. No client secrets stored in source.
Microsoft removed the v8.x integration on 1 January 2026. We support v8.x environments only as part of an in-flight upgrade to v9.x or a planned migration off CE on-premises — we will not build a bridge against a v8.x integration that Microsoft has already removed. The assessment will give you the right answer for your version.
Next step
A 30-minute scoping conversation, then a fixed-price five-day assessment with a named consultant. Written deliverables. Honest two-path recommendation. Refunded in full if you do not need the bridge. We will tell you on the call whether this is right for you.
Fixed-price Statement of Work after the scoping call · MSA available pre-engagement · Net-30 terms · G-Cloud 14 listing in progress