Update: please see our updated blog post on this subject.
Today we are announcing that we will begin blocking the assignment of the ApplicationImpersonation role in Exchange Online to accounts star...
Updated Nov 22, 2024
Version 12.0
Blog Post
It's still not clear to me concerning delegated permissions.
Here is a particular situation:
I have a third party tool that uses an azure ad app with delegated permission "EWS.AccessAsUser.All" via a service account.
the service account has the role applicationimpersonation with a resource scope on around a hundred mailboxes.
With the RBAC for apps, it is not possible to give Application EWS.AccessAsApp to this service account because it is in fact not an application.
If I create an Application EWS.AccessAsApp access control for the application itself and I remove the applicationimpersonation role on the account service, the account service logically no longer has access to the mailboxes concerned.
The problem is that this concerns hundreds of mailboxes and that the applicationimpersonation is very practical when new mailboxes enter the scope (no need to make any adaptation for the application to have access).
The third party tool provider is not yet ready to abandon EWS and delegated permission mode.
Do you see an alternative to using applicationImpersonation in my case?