Integration
CYNC is built natively on Microsoft Graph — no EWS, no legacy protocols. Here's exactly how CYNC uses Graph to sync Entra ID users into Exchange Online contact folders.
CYNC uses the Microsoft Graph delta query endpoint to detect only the users that changed since the last sync run. The delta token is persisted in the local SQLite database. A 10,000-user tenant typically syncs in under 30 seconds when only a handful of users have changed.
GET https://graph.microsoft.com/v1.0/users/deltaEach contact CYNC writes carries a Microsoft Graph Open Extension with a stable correlation ID derived from the Entra ID user's objectId. On subsequent runs, CYNC matches existing contacts by extension instead of fragile name or email matching — preventing duplicates and stale entries.
POST /users/{id}/contacts/{id}/extensionsWhere possible, CYNC uses /v1.0/$batch to combine up to 20 sub-requests per HTTP call. This dramatically reduces round-trips during large mailbox sync runs and stays under per-app throttling thresholds.
POST https://graph.microsoft.com/v1.0/$batchWhen Graph returns 429 or 503, CYNC honors the Retry-After header, applies exponential backoff with jitter, and resumes from the failed sub-request. The dashboard exposes throttle events so admins can tune concurrency.
Retry-After header handlingCYNC authenticates using a self-signed certificate stored in the Windows Certificate Store. No client secrets, no user impersonation, no OAuth tokens persisted to disk — the most secure Graph auth pattern Microsoft documents.
MSAL ConfidentialClient with cert assertionUser profile photos are streamed directly from /users/{id}/photo/$value and written to /contacts/{id}/photo/$value, with optional resizing. Photos are content-hashed so unchanged images are skipped.
GET /users/{id}/photo/$valueCYNC uses application (app-only) permissions with admin consent. No user impersonation, no delegated tokens.
| Permission | Type | Why CYNC needs it |
|---|---|---|
| User.Read.All | Application | Read user profiles from Entra ID |
| Group.Read.All | Application | Resolve group memberships for sync targets |
| Contacts.ReadWrite | Application | Create and update contacts on user mailboxes |
Microsoft Graph is the strategic, supported API for Microsoft 365. Exchange Web Services is being retired across many scenarios in October 2026. Graph offers delta queries, Open Extensions, batch requests, and modern authentication that EWS cannot match.
CYNC uses /v1.0 (GA) endpoints for production sync to ensure stability. Beta endpoints are evaluated for new features but not relied upon for the sync engine.
CYNC implements Microsoft's documented throttling guidance: honor Retry-After headers, exponential backoff with jitter, per-tenant request budgets, and batch request size tuning. The dashboard surfaces throttle events so you can monitor and adjust concurrency.
Three Application (app-only) permissions in Microsoft Graph: User.Read.All, Group.Read.All, and Contacts.ReadWrite — all requiring admin consent. CYNC never requests delegated permissions.
Yes. Configure source filters (e.g. members of a security group) and target filters (e.g. mailboxes in a specific OU or department) directly in the dashboard. Only matching users are queried via Graph.
Yes. Configure the appropriate Graph endpoint (graph.microsoft.us for GCC High, dod-graph.microsoft.us for DoD) in appsettings.json. The CYNC sync engine is endpoint-agnostic.
Try CYNC free for 10 users — no credit card, no time limit.