Mailbox Import and Export via Microsoft Graph: New Resource Types and Methods for Entra Admins

WHAT JUST CHANGED
Microsoft has released new Microsoft Graph resource types and methods for mailbox import/export and Exchange settings. As of June 2024, these enhancements are in Public Preview for all Microsoft 365 tenants with Exchange Online and Microsoft Entra ID. Key changes:
- exportItemResponse resource type
- mailboxItemImportSession resource type
- exchangeSettings resource type
- mailbox resource and methods
- mailboxFolder resource and methods
- mailboxItem resource and methods
- userSettings resource: new exchange relationship
- createImportSession method for mailbox resource
- exchangeAdmin resource: new mailboxes relationship
- exportItems method for mailbox resource
These features enable Entra admins to programmatically manage mailbox import/export sessions, mailbox item lifecycle, folder structure, and Exchange settings via Graph API and modern PowerShell. All tenants with Exchange Online are affected; licensing requirements are unchanged, but you must grant Mail.ReadWrite and MailboxSettings.ReadWrite permissions to service principals or delegated users.
WHAT’S NEXT ON THE ROADMAP
- Mailbox item search and batch export/import capabilities are expected to reach General Availability by Q3 2024, with audit logging enhancements and retention policy hooks.
- Microsoft is piloting granular mailbox folder-level access for service accounts, supporting more secure automation for e-discovery, compliance, and guest mailbox management.
- ExchangeAdmin resource will expand to cover delegated mailbox management and cross-tenant mail flow controls, aligning with Entra External Identities roadmap.
- Imminent deprecation: Legacy EWS/Exchange Web Services APIs will be retired for mailbox export/import after December 31, 2024. Admins must migrate automation to Graph endpoints.
- Conditional Access for mailbox API access is now in preview, enabling enforcement of device compliance and MFA for programmatic mailbox operations.
WHY THIS DIRECTION IS BETTER
- Unified API Surface: Everything mailbox-related is accessible via Microsoft Graph—the same endpoint used for identity, security, and lifecycle automation.
- Modern Authentication: Supports OAuth2 and Entra Conditional Access controls, eliminating basic auth vulnerabilities inherent in legacy EWS/PowerShell.
- Granular Permissions: RBAC is enforceable at mailbox, folder, and item levels, reducing risk and improving auditability.
- Automation Ready: Enables rapid integration with PowerShell, Logic Apps, and third-party tools for import/export, backup, restoration, and compliance workflows.
- Better Auditing and Logging: Graph-based mailbox operations are now visible in Entra audit logs and Microsoft Purview, supporting compliance requirements.
Compared to legacy EWS or competing IdP solutions, Microsoft Graph mailbox management is more secure, standardized, and scalable.
ADJACENT ENTRA ID CHANGES TO KNOW
- Entra External ID: Guest mailbox lifecycle and cross-tenant access configuration are now supported in preview. Admins should review guest access policies for mailbox folders and items.
- Conditional Access: CA policies can now enforce MFA and device compliance for mailbox API access, closing gaps in automated mailbox operations.
- Licensing/Role Changes: Service principal permissions for mailbox import/export must be explicitly granted in Entra admin center, not via legacy Exchange Admin Center.
- PowerShell Module Updates: Modern
Microsoft.GraphandMicrosoft.Entramodules are required. AzureAD and ExchangeOnlineManagement modules are deprecated for mailbox automation.
WHAT TO DO NOW
- Review mailbox automation scripts and workflows for legacy EWS/ExchangeOnlineManagement usage. Plan to migrate to Microsoft Graph endpoints before December 2024.
- Audit service principal and user permissions: Ensure appropriate Graph API scopes (
Mail.ReadWrite,MailboxSettings.ReadWrite) are granted. - Test mailbox import/export via Graph API in a pilot tenant or sandbox. Validate folder/item lifecycle, audit logs, and compliance triggers.
- Update Conditional Access policies to restrict mailbox API access to compliant devices and enforce MFA.
- Monitor the Entra admin center and Microsoft 365 roadmap for mailbox item search and batch export GA announcements.
CHECK IT YOURSELF: PowerShell Audit for Mailbox Graph Readiness
# Requires Microsoft.Graph module
Connect-MgGraph -Scopes "Mail.ReadWrite", "MailboxSettings.ReadWrite"
# List mailboxes and check API status, paginated
try {
$mailboxes = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/exchangeAdmin/mailboxes" -Top 50
if ($mailboxes.value.Count -eq 0) {
Write-Host "No mailboxes found or insufficient permissions."
} else {
foreach ($mailbox in $mailboxes.value) {
Write-Host "Mailbox: $($mailbox.displayName) | Id: $($mailbox.id) | Import/Export API enabled: $($mailbox.importExportEnabled)"
}
}
$skipToken = $mailboxes.'@odata.nextLink'
while ($skipToken) {
$nextPage = Invoke-MgGraphRequest -Method GET -Uri $skipToken
foreach ($mailbox in $nextPage.value) {
Write-Host "Mailbox: $($mailbox.displayName) | Id: $($mailbox.id) | Import/Export API enabled: $($mailbox.importExportEnabled)"
}
$skipToken = $nextPage.'@odata.nextLink'
}
} catch {
Write-Error "Error querying mailboxes: $_"
}
To confirm mailbox folder/item API availability, use:
# List folders for a mailbox (dry-run)
$mbxId = "[email protected]" # or mailbox GUID
try {
$folders = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/mailboxes/$mbxId/folders" -Top 50
foreach ($folder in $folders.value) {
Write-Host "Folder: $($folder.displayName) | Id: $($folder.id)"
}
} catch {
Write-Error "Error querying folders: $_"
}
PORTAL PATH
- Entra Admin Center: Identity > Applications > App registrations > [Your App] > API permissions > Add
Mail.ReadWriteandMailboxSettings.ReadWrite - Microsoft 365 Admin Center: Exchange > Mailboxes > [Mailbox] > Settings > API Access (Preview)
- Entra Admin Center: Identity > Conditional Access > Policies > [Policy] > Add Mailbox API as cloud app
BOTTOM LINE
- Prioritize migration of mailbox automation to Microsoft Graph endpoints before legacy EWS APIs are retired (Dec 2024).
- Audit permissions and update CA policies to secure mailbox API access.
- Test new Graph methods for mailbox import/export, folder/item lifecycle, and Exchange settings in your pilot environment.
- Monitor the roadmap for mailbox search/batch export improvements and prepare for expanded mailbox lifecycle workflows.