Graph throttling
Honor Retry-After, exponential backoff, per-tenant budgets, batch request limits.
Replace fragile DIY scripts
PowerShell GAL sync script alternative
Stop maintaining brittle PowerShell scripts for Exchange Online contact sync. CYNC is a managed Windows Service with throttling, retries, and a real dashboard — all built in.
Hidden cost of DIY
Five things every production sync script must handle
CYNC implements all of these once, correctly, for thousands of tenants.
Delta sync
Persist /users/delta tokens correctly across runs to avoid full-tenant scans.
Cert rotation
Detect upcoming cert expiry, rotate without downtime, alert on failure.
Contact correlation
Match existing contacts using a stable ID — Open Extensions, not email matching.
Failure isolation
One bad mailbox shouldn't kill the run. Per-target try/catch with structured logging.
Observability
Real-time progress, alerting, audit trail — not just a console window scrolling by.
DIY script vs CYNC — head to head
Engineering Effort
| Aspect | CYNC | PowerShell script |
|---|---|---|
| Initial development | Install MSI — 15 min | 200–800 lines of PowerShell — days to weeks |
| Testing | Validated against thousands of tenants | You write and maintain test cases |
| Maintenance burden | Auto-updates via WiX MSI | Continuous — script breaks on Graph SDK changes |
| On-call risk | Vendor-supported | You are on-call when sync breaks at 3am |
| Knowledge silo | Documented product | Tribal knowledge — single point of failure if author leaves |
Reliability & Throttling
| Aspect | CYNC | PowerShell script |
|---|---|---|
| Graph API throttling | Auto retry with exponential backoff | You implement Retry-After header handling |
| Token refresh | MSAL with cert auth — built in | Manual ADAL/MSAL token caching code |
| Delta sync | /users/delta — only changed users | Full enumeration every run (slow + costly) |
| Per-mailbox sync resilience | Failed mailbox doesn't stop run | Try/catch around every API call |
| Concurrency control | Tuned parallelism with backpressure | Sequential or naive parallelism |
| Circuit breaker on tenant errors | Built-in | Custom logic required |
Operations & Visibility
| Aspect | CYNC | PowerShell script |
|---|---|---|
| Dashboard | WinUI 3 desktop dashboard | Console output / log files |
| Sync history | SQLite database with full audit | Whatever you log to disk |
| Real-time progress | gRPC streaming UI | Tail a log file |
| Failure alerting | Windows Event Log + dashboard | Custom email/Teams webhook code |
| Scheduling | Cron-style scheduler in service | Task Scheduler trigger |
| Multi-tenant management | Single dashboard | One script per tenant typically |
Security & Compliance
| Aspect | CYNC | PowerShell script |
|---|---|---|
| Authentication | Certificate in Windows Cert Store | Cert + manual cert rotation logic |
| Secrets management | No secrets — cert auth only | You handle pfx files / secret rotation |
| Code signing | Authenticode-signed binaries | Unsigned scripts (or you sign them) |
| Privilege model | Service account, least privilege | Often runs under admin scheduled task |
| Audit trail | Tamper-evident SQLite log | Plain text logs — easy to lose |
Cost
| Aspect | CYNC | PowerShell script |
|---|---|---|
| Licensing | €0.29/user/month (10 free) | Free |
| Engineering time (loaded) | 0 hours/month | 5–20 hours/month for non-trivial setups |
| Outage cost | Vendor-managed reliability | Mailbox-wide stale contacts, helpdesk tickets |
| Total cost at 500 users | ~€122/month + zero engineering | Free + €2,000+/month engineering loaded cost |
FAQ
Why are PowerShell GAL sync scripts a problem?
DIY scripts work until they don't. The Graph SDK gets a breaking change, certificate expires, throttling rules tighten, a mailbox returns an unexpected error and breaks the loop, the engineer who wrote it leaves the company. Each is a one-off failure that costs hours of triage. CYNC turns sync into a product, not a project.
Isn't a script free? Why pay for CYNC?
The script license is free; the engineering hours are not. Even a minimal production script needs delta sync, throttling-aware retry, secret rotation, alerting, scheduling, monitoring, and incident response — easily 5–20 engineer-hours per month for non-trivial deployments. At loaded enterprise rates, CYNC pays for itself within the first 50 users.
What does a typical GAL sync script need to handle?
Microsoft Graph authentication with cert rotation, /users/delta token persistence, batch request construction, 429 Retry-After handling, exponential backoff, partial failure recovery, contact correlation across runs, photo download/upload streams, throttle budgets per tenant, and observability. CYNC implements all of this once, correctly, for thousands of tenants.
Can I migrate from my script gradually?
Yes. Install CYNC alongside your script in shadow mode. Use the dashboard to verify it produces the same contact set on a pilot mailbox group. Once you trust the output, disable the scheduled task and let CYNC own sync going forward. CYNC's Open Extension correlation handles existing contacts cleanly.
What about EWS Managed API scripts?
If your script uses EWS Managed API or the EWS PowerShell snap-in, retirement is even more urgent — Microsoft is removing EWS for many scenarios in October 2026. CYNC is 100% Microsoft Graph, future-proof.
Do I need to know PowerShell to operate CYNC?
No. CYNC has a WinUI 3 dashboard for configuration and monitoring. PowerShell is optional — useful for automation but never required for core sync operations.
Retire the script. Keep the sync.
10 users free per tenant — install in 15 minutes and run shadow-mode against your existing script.