Update: please see our updated blog post on this subject.
Today we are announcing that we will begin blocking the assignment of the ApplicationImpersonation role in Exchange Online to accounts star...
Updated Nov 22, 2024
Version 12.0
Blog Post
_cparker I've been banging my head against this and I wonder if you can confirm my suspicion that my product is not affected by this.
My company runs a cloud offering where our users (each a company with an M365 setup) does the following:
1. They create an Enterprise Application in their Azure AD
2. They give that Enterprise Application access to the Office 365 Exchange Online API, with a claim of full_access_as_app
3. They then provide our product with their Enterprise Application information: Application ID, Azure Tenant ID, the cert they create and upload and the password to the cert file
4. Our app then creates client credentials from their Certificate via MSAL
5. Using those credentials, we access the various mailboxes in that customer's M365 setup via EWS to manipulate messages
This seems to avoid the deprecation of RBAC mentioned above, since we're not using a single tenant to delegate access to those other tenants. Can you confirm?
Thanks,
Jim