Update: please see our updated blog post on this subject.
Today we are announcing that we will begin blocking the assignment of the ApplicationImpersonation role in Exchange Online to accounts star...
Updated Nov 22, 2024
Version 12.0
Blog Post
_cparker We have two scenarios we would like to get clarity on regarding the above retirement:
1. Application that uses ClientCredential (ClientID, ClientSecret) flow to Registered App with "full_access_as_app" api permission, and then use the token to connect with EWS and then impersonate (using ImpersonatedUserId and X-AnchorMailbox header) a user mailbox to send and receive emails. We dont have the ApplicationImpersonation Role assinged. Will this keep on working and will not be affected becuase it does not have the ApplicationImpersonation Role assigned even if we do impersonate from code?
2. Application that uses Authorization Code flow to get a user token (interactive) from Registered App with "EWS.AccessAsUser.All" api permission. Then use the token to connect to EWS. If we want to then impersonate from code (using ImpersonatedUserId and X-AnchorMailbox header), we then had to add the ApplicationImpersonation Role for that user. In this case, we suspect the retirement will have an impact because we assigned the ApplicationImpersonation role? And if we change the role to Application EWS.AccessAsApp then the retirement will not have an impact?