cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Retirement of RBAC Application Impersonation in Exchange Online
By
The_Exchange_Team
Published Feb 20 2024 01:06 PM 72.2K Views
The_Exchange_Team
Microsoft
‎Feb 20 2024 01:06 PM

Retirement of RBAC Application Impersonation in Exchange Online

‎Feb 20 2024 01:06 PM

Update 5/31/2024: We changed the timeline from May to June 2024.

Today we are announcing that we will begin blocking the assignment of the ApplicationImpersonation role in Exchange Online to accounts starting in June 2024, and that in February 2025, we will completely remove this role and its feature set from Exchange Online.

Modernizing Application Access

Historically, when you needed to grant an application access to more than its own mailbox in your Exchange organization using Exchange Web Services (EWS), you had limited options.

Simple delegation worked for one-to-one and even some one-to-few scenarios, but when you needed to grant access to many mailboxes, Impersonation was the way to go. Impersonation provided easy and broad access to many mailboxes, but limited options for scoping resources for access, and limited visibility outside of Exchange.

Today, the Microsoft identity platform / application model is the standard way to build apps that integrate with your data in the Microsoft cloud. Registering your app in Microsoft Entra simplifies deployment and adoption, makes permissions clearly visible, and helps to standardize your integrated applications.

How Does This Affect Me?

All apps must have an App Registration, and when using Application permissions (not Delegated), the app must use a secure credential for access.

When using EWS, grant scoped access using RBAC for Apps.

Better yet, use Graph, as EWS is going away!

How Do I Find Accounts Using This Type of Access and What Actions Should I Take?

Use Exchange Online PowerShell to check for accounts that have been assigned the ApplicationImpersonation role:

 

 

Get-ManagementRoleAssignment -Role ApplicationImpersonation -GetEffectiveUsers

 

 

Update:

You can also use the sample ApplicationImpersonation reporting script that is posted on GitHub here.

This script produces a report of Microsoft 365 3rd party EWS applications using accounts that have the ApplicationImpersonation RBAC role assigned. This script will help provide you with the impacted App Ids and the accounts in use by these applications that are performing EWS Impersonation. You can then use this information to approach your application owners and work with them to migrate to using RBAC for Applications.

For EWS applications requiring 1 to many mailbox access, ensure the application is configured properly with OAuth to use App-only access.

Implement resource-scoped access using Role Based Access Control for Applications in Exchange Online to control mailbox access as needed for your scenario.

The Exchange Online Team

138 Comments
Co-Authors
Version history
Last update:
‎May 31 2024 12:20 PM
Updated by:
Labels