Overview

Exchange Sync Bridge acts as a protocol translation layer between existing EWS-based software and Microsoft 365.

Your software sends an EWS-style request to ESB. ESB identifies the target mailbox, converts the request into the corresponding Microsoft Graph API call, sends the request to Microsoft 365, receives the Graph response, and converts the response back into the EWS format expected by your software.

Request Flow

  1. Your existing software starts its normal Exchange Sync process.
  2. The software sends an EWS-style request to Exchange Sync Bridge.
  3. ESB reads the target mailbox from the EWS request.
  4. ESB uses Microsoft Graph to request the matching calendar, contact, task, or supported mailbox data from Microsoft 365.
  5. Microsoft 365 returns the Graph response.
  6. ESB translates the response back into an EWS-compatible format.
  7. Your existing software receives the response as if it were still communicating with an EWS endpoint.

Microsoft Admin Consent

During onboarding, your Microsoft 365 administrator approves the Exchange Sync Bridge enterprise application using Microsoft's standard admin consent process.

After consent is approved, Microsoft redirects back with tenant information. The customer license key is redeemed, and the installation receives an install API key used by the relay to communicate with Renfield's broker service.

There is no ESB user login screen and no ESB password for end users.

Authentication Model

Exchange Sync Bridge uses Microsoft Graph application permissions with the OAuth2 client-credentials flow. It does not pass through each user's Microsoft credentials and does not perform a separate OAuth login for each mailbox.

The mailbox specified by the EWS request is used as the target mailbox for the Graph request. This mailbox selection is an addressing mechanism, not a per-user authentication mechanism.

Trust Boundary

Exchange Sync Bridge uses an install-level trust model. After the Microsoft 365 administrator approves the application, ESB is allowed to access supported Exchange data for that tenant according to the permissions granted.

Organizations that need strict mailbox-level or department-level isolation inside a single tenant should discuss that requirement with Renfield Software before deployment.