Skip to main content
日本語 简体中文 繁體中文

[Critical] Request to Update Permissions Due to Migration of Exchange Online Integration Feature (Graph API)

Updated

Thank you for using HENNGE One.
Microsoft has announced that Exchange Web Services (EWS) will be discontinued as of October 1, 2026.
Accordingly, Cloud Protection is planning to migrate to a more secure and future-proof integration method using the Microsoft Graph API.

To use this new method, you will need to pre-authorize (verify) "Cloud Protection to use the Graph API" on your tenant side.

Please make the necessary configuration changes in advance to ensure a smooth migration at the switchover on October 1, 2026.
*If this process is not completed by the deadline, you may lose access to Exchange Online protection features in the service.

Include

  • All customers using Exchange Online protection features in Cloud Protection
    This update is required to continue providing Exchange Online security protection after October 1, 2026.

Content

Microsoft is gradually deprecating EWS (Exchange Web Services), the traditional connection method for Exchange Online, and has announced that as of October 1, 2026, EWS will be completely disabled for Exchange Online.

Official Microsoft information: Deprecation of EWS in Exchange Online (external link)

Procedure

Please follow the steps below to update the role.
*This process requires verification with a Microsoft 365 Global Administrator account.

Please make sure to complete this by October 1, 2026.

  1. Log in to the Cloud Protection Administration (Element Security Center).
  2. From the left menu, go to [Collaboration Protection] – [Cloud Services].

  3. Confirm that a warning banner appears at the top of the screen stating, "Refresh permissions to Exchange to support the latest features and improvements"

    スクリーンショット 2026-01-23 8.51.00.png

  4. Select the checkbox for the target tenant that requires a role update, and from the action bar displayed at the bottom of the screen, click [Refresh permissions to Exchange].
    *An exclamation mark (!) is displayed on the row of the target connected service.

    スクリーンショット 2026-01-23 10.13.27.png

  5. A popup will appear asking "Do you want to set up access to Exchange?" Click [Connect].
  6. The Microsoft 365 login screen will appear. Sign in with a Global Administrator account to verify.
  7. On the permissions request screen, click the [Accept] button.
  8. Return to the [Cloud Services] screen and confirm that the exclamation mark (!) next to the target connected service has disappeared.
    *The role update is complete with the above steps, but please also review the following notes regarding the migration to Graph API.

Notes

The migration to Graph API is a change based on Microsoft platform specifications, and some features will behave differently compared to the previous EWS connection.
The actual timing of the migration to Graph API will be announced separately after further discussions with WithSecure.

Specification changes due to migration

Change in scan method for receive trail rules

  • Settings Changed: The method will change from the previous push notification to a polling method that checks periodically.
    Due to Microsoft Graph API limitations (throttling), frequent checks from Cloud Protection may be restricted.
    As a result, there may be a slight delay in detecting rule additions or updates.

Specification change for calendar and contact quarantine features

  • Settings Changed: Due to Graph API limitations, the previous "Not available (quarantine)" action will no longer be available. Going forward, the action will be changed to one of "Rename (change name)", "Unlink", or "Delete".
    Although the previous quarantine feature using "Not available" will be discontinued, the selected alternative action above will continue to neutralize threats.

Tasks and notes will not be included as detection targets

  • Settings Changed: Since the Graph API does not provide the same detection mechanism as the previous EWS method, tasks and notes objects will not be included as detection targets after migration.
    WithSecure has evaluated, based on past attack statistics, that the risk of compromise via tasks or notes is extremely rare.
    Currently, we recognize that the security impact of this limitation is minimal, but if Microsoft Graph API functionality is expanded in the future, we will consider supporting these features again.

These limitations are unavoidable changes due to Microsoft Graph API restrictions, but migrating to Graph API is a necessary process to strengthen the security of your entire organization.
To ensure service continuity, we strongly recommend that you promptly update your role.
We are fully committed to supporting you for a smooth migration to a more secure Graph API-based environment.
If you have any questions about this matter, please feel free to contact HENNGE One Technical Support.