Blog Post

Exchange Team Blog
2 MIN READ

Retirement of RBAC Application Impersonation in Exchange Online

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Feb 20, 2024
Update: please see our updated blog post on this subject. Today we are announcing that we will begin blocking the assignment of the ApplicationImpersonation role in Exchange Online to accounts star...
Updated Nov 22, 2024
Version 12.0
announcements
development
exchange online
scripting
security
Saras870's avatar
Saras870
Copper Contributor
Apr 04, 2024

hi _cparker 

Thanks for the quick response:  For this question: https://techcommunity.microsoft.com/t5/exchange-team-blog/retirement-of-rbac-application-impersonation-in-exchange-online/bc-p/4104208/highlight/true#M38585

 

I ran the script with date range for 1 day:

 

./appImpersonationUsersReport.ps1
Listing users with ApplicationImpersonation RBAC role assignemnt:
Name Role RoleAssigneeName RoleAssigneeType AssignmentMethod EffectiveUserName
---- ---- ---------------- ---------------- ---------------- -----------------
ApplicationImpersonation-Organization Management-Delegating ApplicationImpersonation Organization Management RoleGroup RoleGroup user2
ApplicationImpersonation-Organization Management-Delegating ApplicationImpersonation Organization Management RoleGroup RoleGroup admin
Getting the UPN and SID of users with ApplicationImpersonation role assigned:
UserPrincipalName Sid
----------------- ---
user2@xxxxx S-dddddd
admin@xxxxxx S-yyyyyyy
Retrieving audit records for the date range between 04/03/2024 12:50:08 and 04/04/2024 12:50:08, Operations=MailItemsAccessed, ResultsSize=5000
Retrieving audit records for activities performed between 04/03/2024 12:50:08 and 04/03/2024 13:50:08
........
Finished retrieving audit records for the date range between 04/03/2024 12:50:08 and 04/04/2024 12:50:08. Total count: 0
Finding events where AppImpersonation user is accessing a mailbox.

Filtering events that do not indicate Impersonation was being used.

Deduplicating data, mapping Application Ids to Impersonation users.

 

I see that two accounts: "user2" and admin"" are having application impersonation role assigned. But there are no results in audit logs.

although one of the users(mailto:user1@xxx) had performed EWS copyItems  to another mailbox(mailto:admin@xxx) by using the EWS API in this time window-

ExchangeService service = new ExchangeService(ExchangeVersion.Exchange2010_SP2);
service.setImpersonatedUserId(new ImpersonatedUserId(connectingIdType, "user1@xxxx"));

Does this mean this account is not affected or am i missing something?

Can this API: service.setImpersonatedUserId(new ImpersonatedUserId(connectingIdType, "user1@xxxx")); be used post May 2024?

 

Request your clarification on this.