For Dynamics 365 CE on-premises customers using Exchange Online

On 1 October 2026, server-side sync stops working. We build the bridge that keeps it running.

When EWS is disabled, the Outlook server profile in your on-premises CE organisation can no longer reach Exchange Online mailboxes. We replace the EWS layer with a Microsoft Graph bridge — same end-user experience, modern auth, no ACS.

Book your EWS Risk Assessment Download the readiness checklist (PDF)

Fixed-price, scoped after a 30-minute conversation. Refunded in full if our findings show you don't need the bridge.

Is this you?

This page is only useful if all three of the following describe your environment.

If any of those three are not true, this service is not for you, and we will say so on the call. The honest answer is sometimes “migrate to Dynamics 365 Online now” — and we will tell you when it is.

The stakes

What happens on 1 October 2026

Microsoft has confirmed a phased disablement of Exchange Web Services beginning 1 October 2026, with permanent shutdown on 1 April 2027 (Microsoft Learn — Deprecation of Exchange Web Services in Exchange Online). The Outlook server profile that connects on-premises CE to Exchange Online uses EWS. When EWS is disabled, that profile stops working.

  1. What breaks

    CRM looks broken to end users. Tracked emails stop appearing in timelines. New activities don’t post to records.

    What it costs you

    Sales pipeline visibility degrades within hours. Account managers lose conversational context on live deals.

  2. What breaks

    Appointments and contacts no longer sync between Outlook and CE.

    What it costs you

    Diary conflicts, missed customer meetings, double-booking on field-service jobs.

  3. What breaks

    Queues stop receiving inbound email. Case creation, complaints intake and shared-mailbox routing all fail silently.

    What it costs you

    SLA breaches in regulated workflows (FCA complaints, NHS PALS, public-sector FOI).

  4. What breaks

    Server-side sync errors flood the system jobs queue. Admins see thousands of failed jobs with no easy recovery path.

    What it costs you

    Operations teams chase ghosts. CRM owner is publicly accountable for an outage they did not cause.

  5. What breaks

    No first-party Microsoft replacement exists for on-premises CE → Exchange Online server-side sync. Microsoft’s stated path is migration to Dynamics 365 Online.

    What it costs you

    If a full migration is not feasible in your window, the default position is “do nothing and break”.

Dates per Microsoft Learn, Deprecation of Exchange Web Services in Exchange Online, and Connect Exchange Online to Dynamics 365 Customer Engagement (on-premises). Microsoft’s verbatim guidance: “If you need server-side synchronization functionality, we recommend that you migrate to Dynamics 365 Online.”

Honest comparison

The four paths

There are four credible responses to the EWS deadline. Three of them are not us. Here is an honest comparison.

Path

a) Full migration to Dynamics 365 Online

Microsoft’s recommended path

Effort

Very high

Risk

Medium

but well-trodden

Cost

High capex, lower run-cost long-term; BTC3 30% discount available 1 Jan 2026 – 31 Dec 2027

Disruption

6–18 months of programme work; data, customisations, integrations, training, change freezes

When it makes sense

You were going to migrate within 18 months anyway, customisations are tractable, and the business case clears procurement before mid-2026.

Path

b) Move mailboxes back on-premises (Exchange Server SE)

Effort

Medium

Risk

High

reverses your Microsoft 365 strategy; Exchange SE has its own lifecycle and security obligations

Cost

Capex on Exchange SE infrastructure plus operational overhead

Disruption

Mailbox migration project, user impact during cutover, hybrid coexistence

When it makes sense

Almost never. We have not yet seen a UK customer for whom this is the right answer. Listed for completeness.

Path

c) AppID Allow List as a stopgap

Effort

Low

Risk

High

Microsoft has been explicit this is not a long-term route; final shutdown is 1 April 2027 with no exceptions

Cost

Low cash cost; high optionality cost

Disruption

Minimal in the short term; cliff edge in 2027

When it makes sense

You have a confirmed migration cutover before March 2027 and need 4–8 months of breathing room. Not a destination.

Path

d) The Graph middleware bridge (Mailspan)

Effort

Low–medium

Risk

Low

productised, fixed-price, named-consultant delivery

Cost

Fixed-price assessment; fixed-price Statement of Work for build and deploy; predictable annual managed service

Disruption

5-day assessment; banded build of 4–10 weeks; parallel-run cutover with documented rollback

When it makes sense

You need server-side sync to keep working past 1 October 2026, full migration is not realistic in your window, and you want a defined exit when you do migrate.

  1. Full Dynamics 365 Online migration

    Microsoft’s recommended path

    Effort Very high
    Risk Medium

    Best if migration is already funded, realistic, and can land before the EWS deadline.

    Cost, disruption, and notes

    Cost

    High capex, lower run-cost long-term; BTC3 30% discount available 1 Jan 2026 – 31 Dec 2027

    Disruption

    6–18 months of programme work; data, customisations, integrations, training, change freezes

    Risk note

    but well-trodden

    When it makes sense

    You were going to migrate within 18 months anyway, customisations are tractable, and the business case clears procurement before mid-2026.

  2. Move mailboxes back on-premises

    Effort Medium
    Risk High

    Almost never the right answer; included for completeness.

    Cost, disruption, and notes

    Cost

    Capex on Exchange SE infrastructure plus operational overhead

    Disruption

    Mailbox migration project, user impact during cutover, hybrid coexistence

    Risk note

    reverses your Microsoft 365 strategy; Exchange SE has its own lifecycle and security obligations

    When it makes sense

    Almost never. We have not yet seen a UK customer for whom this is the right answer. Listed for completeness.

  3. AppID Allow List stopgap

    Effort Low
    Risk High

    Useful only for short breathing room when migration lands before final shutdown.

    Cost, disruption, and notes

    Cost

    Low cash cost; high optionality cost

    Disruption

    Minimal in the short term; cliff edge in 2027

    Risk note

    Microsoft has been explicit this is not a long-term route; final shutdown is 1 April 2027 with no exceptions

    When it makes sense

    You have a confirmed migration cutover before March 2027 and need 4–8 months of breathing room. Not a destination.

  4. Mailspan

    Mailspan Graph bridge

    Effort Low–medium
    Risk Low

    Best when server-side sync must survive past 1 October 2026 and full migration is not realistic.

    Cost, disruption, and notes

    Cost

    Fixed-price assessment; fixed-price Statement of Work for build and deploy; predictable annual managed service

    Disruption

    5-day assessment; banded build of 4–10 weeks; parallel-run cutover with documented rollback

    Risk note

    productised, fixed-price, named-consultant delivery

    When it makes sense

    You need server-side sync to keep working past 1 October 2026, full migration is not realistic in your window, and you want a defined exit when you do migrate.

If path (a) is realistic for you in the time available, it is the right answer and we will tell you so on the assessment call. The bridge exists for organisations where (a) is not realistic, (b) is the wrong direction, and (c) is not a strategy.

Book your EWS Risk Assessment

How the bridge works

A small, audited middleware that terminates EWS on the Dynamics side.

The bridge is a small, audited middleware that terminates the EWS dependency on the Dynamics side and makes Microsoft Graph calls against Exchange Online on the other. The end-user experience is unchanged. The customisations stay. The Outlook server profile is replaced.

Dynamics 365 CE on-premises (v9.x)

System jobs · Server-side sync engine · Mailbox records · Queues · Tracking rules

Mailspan Graph bridge

Auth

OAuth 2.0 · per-mailbox delegated or app-only · granular RBAC

Translator

EWS-shaped requests → Microsoft Graph calls

Audit

Append-only · 13-month retention · SIEM export

Microsoft Graph

Microsoft 365 API surface · OAuth 2.0 · Entra ID

Exchange Online mailboxes

UK / EU tenant · existing user mailboxes · unchanged folder structure

No ACS tokens · No ApplicationImpersonation · No mailbox data persisted in the bridge

What’s replaced

  • The Outlook server profile pointing at Exchange Online via EWS
  • ApplicationImpersonation RBAC role on Exchange
  • EWS calls (FindItem, CreateItem, SyncFolderItems, GetStreamingEvents)
  • ACS-issued tokens (also retiring)
  • OAuth-issued tokens used directly against EWS endpoints

What stays the same

  • The end-user experience in Outlook, the web client, and the mobile app
  • Mailbox records and the Email Router queue on Dynamics
  • Tracking rules, folder-level tracking, server-side sync filters
  • Queue configuration, automatic record creation rules
  • All Dynamics customisations: plug-ins, workflows, JavaScript, PCF controls
// Before — EWS FindItem (deprecated; endpoint disabled from 1 October 2026)
var view = new ItemView(50);
var results = exchangeService.FindItems(
    WellKnownFolderName.Inbox,
    new SearchFilter.IsGreaterThan(ItemSchema.DateTimeReceived, since),
    view);

// After — Microsoft Graph equivalent via Mailspan bridge
var messages = await graphClient
    .Users[mailboxUpn]
    .MailFolders["Inbox"]
    .Messages
    .GetAsync(r => {
        r.QueryParameters.Filter = $"receivedDateTime gt {since:o}";
        r.QueryParameters.Top    = 50;
        r.QueryParameters.Select = new[] { "id", "subject", "from", "receivedDateTime", "internetMessageId" };
    });

Data residency. All bridge components are deployed in UK South only. No mailbox content is persisted by the bridge. The append-only audit log records metadata (mailbox UPN, item ID, operation, timestamp, status) for 13 months, exportable to your SIEM.

Authentication. OAuth 2.0 with Microsoft Entra ID. App-only access with granular per-mailbox permissions via ApplicationAccessPolicy, or delegated where required. No ACS. No ApplicationImpersonation. No client secrets in source — workload identity federation or certificate-based credentials only.

Risk calculator

Five questions, one risk score.

A two-minute self-assessment. No email required to see the result. We do not store your answers — the calculation runs entirely in your browser.

1. Dynamics 365 CE version.
2. Approximate mailbox count synced to CE.
3. Hybrid Exchange?
4. Regulated sector?
5. Planned migration to Dynamics 365 Online.

Engagement model

Three productised tiers

Three fixed-price tiers. The first one tells you whether you need the second. The second produces a working bridge. The third keeps it working as Microsoft Graph evolves.

Tier 1

EWS Risk Assessment

Fixed-price, five working days, named consultant on-site or remote. Scoped after a 30-minute scoping conversation.

Deliverables

  • A written environment audit covering CE version, customisation depth, server-side sync configuration, mailbox topology, hybrid Exchange status, and integration inventory (ClickDimensions, Resco, Riva, custom plug-ins).
  • A risk register mapped to 1 October 2026 and 1 April 2027, with named owners.
  • A two-path recommendation: bridge, or full migration. Costed in bands. Honest about which is right for you.
  • A draft fixed-price Statement of Work for whichever path you select.
  • A live walkthrough with your IT, applications and procurement leads.

Refund commitment. If the assessment concludes you do not need the middleware bridge — for example, because a full Dynamics 365 Online migration is realistic in your window, or because your CE estate is already on a path that resolves the EWS dependency — the assessment fee is refunded in full.

Tier 2

Bridge Build & Deploy

Fixed-price, scoped after assessment. Banded by mailbox count (under 500 / 500–2,000 / 2,000–10,000 / over 10,000) and by integration complexity.

Includes

  • Bridge deployment in your UK South tenant or in a managed Mailspan tenant.
  • Microsoft Entra app registration, RBAC scoping, and ApplicationAccessPolicy configuration.
  • Cutover runbook with documented rollback at every step.
  • UAT with your CRM owner and a representative end-user cohort.
  • Parallel-run cutover — bridge and existing EWS path run side-by-side until you sign off.
  • 30-day hypercare with named consultant on a same-day SLA.
  • Source-available delivery and full handover documentation (see FAQ on escrow).

Tier 3

Managed Service

Annual, fixed-price, scoped after build. Renewable.

Includes

  • Continuous tracking of Microsoft Graph API changes and deprecations.
  • Quarterly health review against your SIEM and audit log.
  • Patch and update windows agreed against your change calendar.
  • Same-day SLA on P1 incidents; named consultant cover.
  • A documented exit at any renewal point — including a one-time handover engagement so you can take the bridge in-house, retire it, or migrate off it cleanly.

All three tiers are fixed-price, scoped after assessment. No prices are published on this page. We send a costed Statement of Work after the 30-minute scoping conversation.

FAQ

Twelve questions, honestly answered

Why not just move to Dynamics 365 Online?

Sometimes that is the right answer and we will say so during the assessment. For organisations where it is not realistic before 1 October 2026 — because of customisation depth, regulatory scope, integration sprawl, change freezes, or simply because the business case has not cleared procurement — the bridge keeps server-side sync working until you are ready. Microsoft’s verbatim guidance on the relevant Learn page is: “If you need server-side synchronization functionality, we recommend that you migrate to Dynamics 365 Online.” That recommendation is correct. It is also not always feasible in 18 months.

Could Microsoft slip the deadline?

Possibly, but not safely planned for. Microsoft’s Exchange team blog states: “There will be no exceptions past April 2027.” The phased disablement still begins 1 October 2026 and the AppID allow list is explicitly framed as a temporary tool, not a delay. Planning for a slip is a strategy that survives only if the slip arrives.

Is this a permanent fix or a stopgap?

It is whichever you need it to be. Some customers run the bridge for 18 months as a runway to Dynamics 365 Online. Others run it for the foreseeable life of their on-premises CE estate. The managed service is renewable annually with a documented exit at every renewal point.

Where does mail data flow?

The bridge is deployed in UK South only. Mailbox content is not persisted by the bridge — calls are translated and forwarded to Microsoft Graph in-flight. The append-only audit log records metadata only (mailbox UPN, item ID, operation, timestamp, status), retained for 13 months, exportable to your SIEM.

What about ClickDimensions, Resco, Riva and other ISVs that depend on EWS?

We assess each ISV in scope during the Tier 1 engagement. ClickDimensions and Resco both have documented Graph-based or modern-auth paths; Riva is itself a sync product and follows a different track. Where an ISV uses the same Outlook server profile, the bridge usually covers it transparently; where it uses its own EWS connection, we configure parallel Graph permissions and document the ISV-specific cutover steps in the runbook.

What happens if Mailspan goes out of business?

Three protections, written into the Statement of Work. First, the bridge is delivered source-available to you under licence — not as a black box. Second, a full operational runbook is handed over at go-live, sufficient for a competent Microsoft partner or in-house team to operate it. Third, source code and build artefacts are held in escrow with a UK provider; trigger events include insolvency, sustained breach, and discontinuation of the product. We will share the escrow agreement template before contract signature.

Will this work with hybrid Exchange or Exchange Server SE?

Yes. The bridge mediates the path between CE on-premises and Exchange Online mailboxes. Mailboxes that remain on an on-premises Exchange server are not affected by the EWS retirement and are routed via the existing on-premises Exchange path. Hybrid topologies are explicitly in scope and are covered in the assessment.

How does this affect end users?

It should not. Tracked emails continue to appear on timelines. Appointment sync continues. Queues continue to receive inbound email. The bridge replaces the Outlook server profile and the EWS layer; it does not change the user-facing surface area of CE or Outlook.

What does the assessment actually produce?

Five working days of named-consultant work, ending in: a written environment audit, a risk register mapped to 1 October 2026 and 1 April 2027, a two-path recommendation (bridge or migrate) costed in bands, a draft fixed-price Statement of Work for the recommended path, and a live walkthrough. If the conclusion is that you do not need the bridge, the assessment fee is refunded in full.

Can we use Bridge to Cloud 3 or AIM funding?

Yes, and we will help you do so where it applies. Bridge to Cloud 3 runs 1 January 2026 – 31 December 2027 and offers a 30% discount on Dynamics 365 Online licences over a three-year term — which materially changes the business case for full migration. The AIM programme funds migration assessments and accelerator engagements. Both apply to the migration path; neither funds the bridge itself directly, but together they often make the “bridge now, migrate when ready” framework cleaner to finance.

What about authentication — ACS is also retiring?

Correct, and the bridge does not use ACS. All authentication is OAuth 2.0 against Microsoft Entra ID, using app-only access with granular per-mailbox ApplicationAccessPolicy scoping, or delegated access where required. No ACS tokens. No ApplicationImpersonation. No client secrets stored in source.

Do you support v8.x as well as v9.x?

Microsoft removed the v8.x integration on 1 January 2026. We support v8.x environments only as part of an in-flight upgrade to v9.x or a planned migration off CE on-premises — we will not build a bridge against a v8.x integration that Microsoft has already removed. The assessment will give you the right answer for your version.

Next step

Book your EWS Risk Assessment

A 30-minute scoping conversation, then a fixed-price five-day assessment with a named consultant. Written deliverables. Honest two-path recommendation. Refunded in full if you do not need the bridge. We will tell you on the call whether this is right for you.

Book your EWS Risk Assessment

Fixed-price Statement of Work after the scoping call · MSA available pre-engagement · Net-30 terms

Calendar embed

30-minute scoping conversation. Cal.com / Microsoft Bookings — UK time, 09:00–17:30 weekdays.

Prefer email? hello@mail-span.com