Microsoft Exchange (EWS)
Connect on-premises Microsoft Exchange via EWS for free/busy reads and event writes — for organizations on Exchange 2016/2019 that haven't moved to Microsoft 365.
Workestra supports on-premises Microsoft Exchange through the Exchange Web Services (EWS) protocol. This is the right integration when:
- Your organization runs Exchange 2016 or 2019 on-prem (not migrated to Microsoft 365)
- You can't use OAuth-based Microsoft 365 calendar — your IT policy or licensing keeps mailboxes on-prem
- You need free/busy reads and event writes against on-prem mailboxes
If you're on Microsoft 365 / Outlook.com, use the Microsoft 365 Calendar integration instead — Graph API is faster, OAuth-based, and far less brittle than EWS.
Screenshot needed — /settings/integrations/exchange with EWS URL + credentials form
What it does
| Workestra event | Exchange result |
|---|---|
| Booking computed | Free/busy read against the host's mailbox via GetUserAvailability |
| Booking confirmed | Calendar event created via CreateItem with attendees and online meeting URL (if configured) |
| Booking rescheduled | Existing calendar item updated via UpdateItem |
| Booking cancelled | Calendar item deleted via DeleteItem with cancellation notification to attendees |
Connecting
EWS doesn't have an OAuth flow. Connection is configured per-workspace by an admin:
/settings/integrations/exchange→ Configure.- Provide:
- EWS URL — typically
https://mail.<your-domain>.com/EWS/Exchange.asmx - Auth method — Basic auth (username + password) or NTLM
- Credentials — a service account with
Impersonationrights on user mailboxes you want to integrate
- EWS URL — typically
- Test the connection. Workestra issues a
ResolveNamesagainst the service account to confirm. - Save.
Once configured, individual hosts can be connected by entering their primary SMTP address — the service account does impersonation per request.
Service account requirements
The service account needs:
- A non-expiring password (or an LDAP-managed credential)
- The
ApplicationImpersonationRBAC role scoped to the mailboxes you want to integrate (New-ManagementRoleAssignment -Role ApplicationImpersonation -User workestra-svc) - Network reachability from Workestra's egress IPs to your EWS endpoint
For tighter scoping, scope the role to a specific OU or distribution group instead of the whole org.
Network considerations
EWS is HTTPS — a single endpoint on port 443. If your EWS server is internet-facing, no special network setup is needed. If it's internal-only, you'll need:
- A reverse proxy with public DNS (TLS-terminated)
- Or a private connection (Workestra Enterprise tier — talk to support)
What's NOT supported
- OAuth modern auth for EWS — basic auth and NTLM only. Microsoft is deprecating Basic auth for Exchange Online; for hybrid deployments, use the M365 integration instead.
- EWS Push Notifications — Workestra polls (every 5 minutes by default) for free/busy changes. Calendar-side delete sync (the M365 Graph subscription pattern) is not available on EWS.
- Exchange 2010 or earlier — protocol differences make support too brittle.
Read next
- Microsoft 365 Calendar — preferred for cloud Exchange
- Booking Links — pick Exchange as the calendar provider per link
- iCloud (CalDAV) — alternate non-Microsoft option