Update: please see our updated blog post on this subject.
Today we are announcing that we will begin blocking the assignment of the ApplicationImpersonation role in Exchange Online to accounts star...
Updated Nov 22, 2024
Version 12.0
Blog Post
_cparker
Microsoft
MicrosoftTomasHugan By default it's a delegating assignment, meaning the Org Management role group has the ability to assign the ApplicationImpersonation role.
PS C:\Users\cparker.NORTHAMERICA> Get-ManagementRoleAssignment -Role ApplicationImpersonation -GetEffectiveUsers -Delegating $true | ft -AutoSize
Name Role RoleAssigneeName RoleAssigneeType AssignmentMethod EffectiveUserName
---- ---- ---------------- ---------------- ---------------- -----------------
ApplicationImpersonation-Organization Management-Delegating ApplicationImpersonation Organization Management RoleGroup Direct All Group Members
ApplicationImpersonation-Organization Management-Delegating ApplicationImpersonation Organization Management RoleGroup RoleGroup 8mc4r2
PS C:\Users\cparker.NORTHAMERICA> Get-ManagementRoleAssignment -Role ApplicationImpersonation -GetEffectiveUsers -Delegating $false | ft -AutoSize
Name Role RoleAssigneeName RoleAssigneeType AssignmentMethod EffectiveUserNa
me
---- ---- ---------------- ---------------- ---------------- ---------------
ApplicationImpersonation-RIM-MailboxAdmins6f98052559ee40f0b52b42 ApplicationImpersonation RIM-MailboxAdmins6f98052559ee40f0b52b42a04079cbcc RoleGroup Direct All Group Me...
The full_access_as_app Application permission can be used; however, we recommend configuring RBAC for Applications going forward.