Microsoft has drawn a hard line in the sand for Exchange hybrid organizations. By April 2027 at the latest, all Exchange Server Subscription Edition hybrid customers must move their rich coexistence features from Exchange Web Services (EWS) to Microsoft Graph. The transition hinges on a mandatory hotfix arriving in May 2026, which unlocks the necessary Graph-based integration. Miss these milestones, and hybrid mail flow, free/busy lookups, and calendar sharing between on-premises and Exchange Online could break entirely.

The warning shot came in a recent notification to hybrid customers, framing a two-phase timeline. First, install the May 2026 hotfix (or a newer cumulative update) on all Exchange servers by October 2026. That hotfix adds the plumbing for Graph-powered coexistence. Then, complete the migration of all rich coexistence workloads to Graph no later than April 2027. The October cutoff isn't arbitrary—it aligns with the long-announced retirement of EWS for Exchange Online, after which Microsoft will start blocking EWS requests from the cloud. On-premises servers that still talk EWS will lose critical cross-premises functionality.

Why EWS Must Go

Exchange Web Services has been the backbone of programmatic access to Exchange data for two decades. It powers everything from email clients to custom integrations, and in hybrid deployments, it enables real-time free/busy queries, mailbox moves, and public folder sync. However, EWS is a SOAP-based legacy API that Microsoft has been trying to sunset since 2018. It's complex, resource-intensive, and ill-suited for the modern, REST-based, permission-scoped world of Microsoft Graph.

In 2023, Microsoft solidified the retirement schedule: Exchange Online stopped investing in EWS that year, and the service will stop accepting EWS calls after October 1, 2026. Any cloud-side feature that still depended on EWS—such as hybrid free/busy—would either move to Graph or cease to exist. On-premises Exchange, however, continued to rely on EWS for hybrid connectivity. The May 2026 hotfix finally bridges that gap, teaching Exchange Server to speak Graph for coexistence instead.

The Graph Difference

Microsoft Graph is a unified REST API that spans the entire Microsoft 365 ecosystem. Moving hybrid coexistence to Graph doesn't just mean replacing one endpoint with another. It brings granular OAuth-based authentication, fine-grained permissions, better monitoring via Azure, and alignment with a single API surface used by Teams, SharePoint, and Viva. For hybrid organizations, this means features like cross-premises meeting room lookups, auto-mapping of shared mailboxes, and delegate access will eventually perform better and be more secure.

However, the transition isn't a simple toggle. Architects must reconfigure how on-premises servers authenticate to Exchange Online, update any third-party tools that intercept free/busy or calendar data, and reassign application permissions from EWS impersonation to Graph scopes. The May 2026 hotfix is the first step, but it only makes Graph available—it doesn't force a switch. That extra year from October 2026 to April 2027 gives organizations time to test, refactor, and cut over without downtime.

Who Must Act—and What Happens If They Don't

The mandate applies specifically to Exchange Server Subscription Edition (SE) hybrid customers. Subscription Edition is the perpetual release channel for Exchange 2019 and beyond, replacing the old cumulative update model. Organizations still running Exchange 2016 or earlier and planning a hybrid upgrade must first migrate to SE to meet the hardware and licensing requirements. Those on Exchange 2019 with active software assurance can stay on SE without a separate upgrade, but they still need the hotfix.

Ignoring the deadline carries severe consequences. After October 2026, Exchange Online will reject EWS calls from on-premises. This means hybrid free/busy will fail, causing users to see "no information" for colleagues on the other side of the hybrid bridge. Calendar sharing and delegation will break. Mailbox migrations using remote move will stall because the Mailbox Replication Service depends on EWS. Even public folder coexistence could become unreliable.

By April 2027, any remaining EWS-based coexistence paths will be permanently severed. Organizations that haven't installed the hotfix and reconfigured their hybrid will face an outage of cross-premises features, potentially forcing a rushed last-minute migration or an emergency cut of the hybrid—often with user impact and data integrity risks.

The Timeline in Detail

  • May 2026: Microsoft releases the Exchange Server Subscription Edition hotfix that introduces Graph support for hybrid coexistence. This hotfix will arrive via Windows Update as well as the usual download center, and it will be a cumulative update (CU) for the SE channel. It includes new cmdlets for configuring Graph-based org relationships, updated Microsoft 365 authentication modules, and a compatibility mode that allows both EWS and Graph to run in parallel during the transition.
  • October 2026: The hard deadline for installing the May 2026 CU or a subsequent CU on all Exchange servers. After October 1, 2026, EWS will no longer function in Exchange Online. Hybrid configurations that haven't been updated will immediately lose cloud-side connectivity. Servers that have the hotfix but haven't yet switched to Graph can still use EWS for on-premises-to-on-premises calls, but any cloud dependency will fail.
  • April 2027: The drop-dead date for completing the coexistence migration. By now, all rich coexistence workloads—free/busy, calendar sharing, delegate management, public folder sync, and archive access—must use Graph exclusively. Microsoft may block the remaining EWS traffic from managed endpoints after this date.

Preparing Your Hybrid Environment

Admins should start inventorying every EWS dependency now. Many organizations have third-party room schedulers, CRM plugins, or legacy Outlook add-ins that rely on EWS for cross-premises data. Those tools will need updates from their vendors or replacement with Graph-native alternatives.

Next, validate that all on-premises Exchange servers are running Subscription Edition. For mixed environments with older Exchange versions, plan an orderly migration. The hotfix will only apply to SE, so servers that can't be upgraded must be removed from the hybrid configuration or isolated before October 2026.

Authentication is the biggest architectural change. Hybrid coexistence traditionally used the OAuth-based Hybrid Modern Authentication (HMA) with tokens exchanged between on-premises and Exchange Online. The Graph integration will extend HMA to request Graph-specific scopes (like Calendars.ReadWrite.Shared and Mail.ReadWrite). Admins must register a new enterprise application in Azure (the hotfix will guide this) and consent to the required permissions. Federation trusts and intra-org relationship settings will need to be adjusted to use Graph endpoints instead of EWS virtual directories.

A phased cutover is the safest approach. After installing the hotfix, run both EWS and Graph in parallel for a few weeks while monitoring telemetry. Turn off EWS for a subset of test users first, verify free/busy, then gradually expand. The Exchange Server health dashboard will expose new counters for Graph latency and error rates, helping detect misconfigurations early.

Real-World Traps and Community Wisdom

Early testers of the Graph endpoints in Exchange Online have already flagged a few gotchas. The biggest: shared mailbox auto-mapping, where a user's Outlook client automatically mounts a shared mailbox, relies on EWS Autodiscover redirection. The Graph replacement uses a different flow via the /me/messages endpoints, and admins need to make sure mailbox delegation is properly modeled in the cloud. Another pain point is organization relationships with external domains. Hybrid orgs that federate with business partners for calendar sharing will need to convince those partners to update their endpoints or accept a temporary one-way sharing until everyone moves to Graph.

Conditional Access policies enforced on Exchange Online will also now apply to Graph calls from on-premises. This means any Hybrid Agent that was previously exempt because it called EWS inside the corporate network will suddenly be subject to the same access policies as a mobile client. Admins must ensure the Exchange server's managed identity is either excluded from restrictive policies or properly enrolled in compliance checks.

Compounding the urgency, Microsoft has hinted that the October 2026 EWS cutoff is non-negotiable—even for government clouds. GCC, GCC High, and DoD tenants follow the same timeline, though the hotfix and migration tools might arrive a few weeks later in those clouds. All the more reason to engage Microsoft Fast Track or your support contact now.

What Microsoft Hasn't Told You Yet

Not every coexistence workload will move to Graph in this round. Mobile device management using ActiveSync remains unchanged, and the Exchange Web Services Managed API (EWS Managed API) for on-premises-only operations isn't going anywhere—it's only the hybrid bridge signals that must convert. Hybrid configuration tools, like the Hybrid Configuration Wizard (HCW), are being rewritten to automatically detect the hotfix and offer a one-click path to enable Graph-based coexistence, but that revamped HCW won't ship until early 2026.

There's also a quiet concession: public folder coexistence, which was initially flagged for deprecation alongside EWS, will continue to rely on a limited EWS proxy until at least 2028. The Graph API for public folders is still in private preview, and Microsoft doesn't want to break hundreds of healthcare and legal firms that depend on legacy public folder replication. So the "move all rich coexistence" directive doesn't yet include modernizing public folders—for now, they get a reprieve.

The Clock Is Ticking

With four milestone dates now firm—May 2026 for the hotfix, October 2026 for EWS retirement, April 2027 for final coexistence cutover—hybrid Exchange organizations have a 30-month runway to retool. That sounds generous, but given the lead times for software updates, vendor negotiations, and testing cycles in regulated industries, it will evaporate fast.

The May 2026 hotfix is the gate. Without it, nothing else matters. Smart admins will treat it as a Day Zero flash point: immediately after release, build a lab replica of the production hybrid, apply the hotfix, and start running side-by-side Graph calls. Document every failure. Open support tickets while the issue is fresh. By mid-2026, you should be ready to flip the coexistence mode in production, giving yourself a full year of parallel running before the final April 2027 cutoff.

Microsoft's message is unmistakable: EWS in the cloud is dead. For hybrid organizations, the only path forward goes through Graph. Start the journey now.