Blog Post

Exchange Team Blog
2 MIN READ

Retirement of RBAC Application Impersonation in Exchange Online

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Feb 20, 2024
Update: please see our updated blog post on this subject. Today we are announcing that we will begin blocking the assignment of the ApplicationImpersonation role in Exchange Online to accounts star...
Updated Nov 22, 2024
Version 12.0
announcements
development
exchange online
scripting
security
_cparker's avatar
_cparker
Icon for Microsoft rankMicrosoft
Mar 13, 2024

Shabbir Hasan you'll probably want to use the Unified Audit Logs to discover which impersonation accounts are being used by which applications in your org. For example, the process may look like the following:

 

  1. Get the list of "AppImpersonation users" via the Get-ManagementRoleAssignement cmdlet
  2. For each user, get their SID using Get-User cmdlet
  3. Do a UAL search (UI or PS), filtering on MailItemsAccessed
  4. For each SID, review UAL results for events with the SID as LogonUserSid and a different SID/UPN for the MailboxOwnerSid/MailboxOwnerUPN mailbox. Note the AppId
  5. Identify App Owner(s) and advise on migrating ASAP

 

Regarding your question around managing RBAC for Applications, you currently need to manage this via Exchange Online PowerShell.