To ensure successful migration it is often beneficial to understand the changes warranted in protocols used and where.
This can help reduce confusion and frustration during the setup and configuration period.
it’s an important distinction when planning or troubleshooting Exchange integrations, migrations, or automations. Let’s break down Exchange Web Services (EWS) vs Microsoft Graph from a network, architecture, and functional perspective:
| Feature | EWS (Exchange Web Services) | Microsoft Graph |
|---|---|---|
| Purpose | Legacy SOAP-based API for accessing Exchange mailbox data directly. | Modern REST-based API for accessing Microsoft 365 data (Exchange, Teams, OneDrive, etc.) via a unified endpoint. |
| API Style | XML/SOAP | JSON/REST |
| Main Use | On-premises Exchange or older M365 apps | Cloud (Microsoft 365) only — unified access to Exchange Online, Teams, Azure AD, etc. |
| Aspect | EWS | Microsoft Graph |
|---|---|---|
| Endpoint | https://<exchange-server>/EWS/Exchange.asmx (on-prem) or https://outlook.office365.com/EWS/Exchange.asmx (cloud) | https://graph.microsoft.com/v1.0 or /beta |
| Protocol | SOAP over HTTPS | REST over HTTPS |
| Network Path | Can connect directly to Exchange Server (on-prem or cloud). | Always connects through Microsoft 365 cloud edge services — can’t directly hit on-prem Exchange. |
| Firewall Requirements | Open TCP 443 to Exchange server(s) | Open TCP 443 to graph.microsoft.com and dependent M365 endpoints |
| Latency | Direct to Exchange = usually faster for on-prem | Slightly higher due to Graph gateway routing and authorization checks |
| Throttling Model | Exchange-specific throttling policies (configurable in Exchange Admin) | Tenant-wide Microsoft Graph throttling (shared across workloads) |
| Aspect | EWS | Microsoft Graph |
|---|---|---|
| Auth Methods | Basic Auth (deprecated), NTLM, OAuth 2.0 (modern auth) | OAuth 2.0 via Azure AD App Registration |
| Delegated vs Application Permissions | Supported both, but per-mailbox access often required | Strongly permission-scoped (delegated or app-only); granular via Azure AD |
| Security Context | Service account or impersonation | Access token from Azure AD; fine-grained permissions like Mail.Read |
| Aspect | EWS | Microsoft Graph |
|---|---|---|
| Scope | Exchange only (Mail, Calendar, Contacts, Tasks) | Cross-service (Exchange, Teams, SharePoint, Azure AD, Intune, etc.) |
| Data Model | Deep and raw — ideal for migration tools or complex mailbox operations | Simplified but more consistent across Microsoft 365 services |
| Streaming Notifications / Subscriptions | Yes (push, pull, streaming) | Yes, but through Graph subscription APIs (webhooks) |
| Batching / Delta Queries | Partial support (SyncFolderItems) | Supported (Delta queries for incremental syncs) |
| Attachments & Large Messages | Raw access to MIME content | Graph supports resumable uploads and large file handling |
| Use Case | Best API |
|---|---|
| On-premises Exchange (2016, 2019) | EWS |
| Exchange Online (new integrations) | Graph |
| Migration tools needing full MAPI-level access | EWS (Graph doesn’t expose everything) |
| Building modern apps or bots | Graph |
| Access to Teams, SharePoint, Azure AD, etc. | Graph only |
EWS is in maintenance mode — no new features are being added.
Graph is the future. All new API functionality (e.g., improved calendar and message syncs) happens there.
EWS will not be deprecated immediately, especially for on-prem or hybrid environments, but for Exchange Online, Microsoft strongly recommends migration to Graph.
| Item | EWS | Graph |
|---|---|---|
| TLS | 1.2 minimum | 1.2+ required |
| Access Point | Exchange servers or Office 365 EWS endpoint | Global Microsoft 365 Graph endpoint |
| Load Balancing | Handled by Exchange CAS | Handled by Microsoft 365 front-end |
| Proxy & Firewall Rules | Local Exchange can be internal | Must allow outbound to graph.microsoft.com |
| Conditional Access | Limited support | Fully supported via Azure AD policies |
EWS: Closer to the Exchange server, more raw access, more complex XML, great for migrations and admin utilities.
Graph: Cloud-first, modern, secure, RESTful, with broader Microsoft 365 reach but not yet 100% feature parity for all Exchange operations.
