Update: The full timeline for retirement of Basic Authentication in Exchange Online is now published in Basic Authentication Deprecation in Exchange Online – September 2022 Update.
For many years, ...
Updated Jul 09, 2024
Version 10.0
Blog Post
We currently have a 3rd party company that is operating a software. This software uses a service account that we've given App-Impersonation RBAC role against a very narrow RBAC recipient scope (just a few mailboxes) because that software seriously manipulates the emails inside those mailboxes (e.g. moving, deleting, changing subjects, marking as read/unread, setting flags, etc.). This application connects to those mailboxes using EWS and Basic Authentication.
Because the application is operated by a 3rd party, the safest way for us (the exchange admins) to ensure it only has access to that narrow scope of mailboxes was to use RBAC.
Once the Basic Auth will be stopped, the software will have to use the OAUTH client credentials flow which requires a global admin grant (this grants read/write permission to the application against ALL mailboxes in the tenant and this scope cannot be currently restricted only to a few select mailboxes !!! ). This means that the 3rd party operator will have a way to access in read/write mode to ALL our mailboxes in the tenant, without us (the exchange admins) having any possibility to restrict that from EXO side...
Is Microsoft considering also this scenario when proposing the OAUTH client credentials flow as a replacement to EWS/IMAP/POP/AS for automated systems (aka daemons) ??