Blog Post

Exchange Team Blog
2 MIN READ

Retirement of RBAC Application Impersonation in Exchange Online

The_Exchange_Team's avatar
Feb 20, 2024

Update: please see our updated blog post on this subject.

Today we are announcing that we will begin blocking the assignment of the ApplicationImpersonation role in Exchange Online to accounts starting in September 2024, and that in February 2025, we will completely remove this role and its feature set from Exchange Online.

Modernizing Application Access

Historically, when you needed to grant an application access to more than its own mailbox in your Exchange organization using Exchange Web Services (EWS), you had limited options.

Simple delegation worked for one-to-one and even some one-to-few scenarios, but when you needed to grant access to many mailboxes, Impersonation was the way to go. Impersonation provided easy and broad access to many mailboxes, but limited options for scoping resources for access, and limited visibility outside of Exchange.

Today, the Microsoft identity platform / application model is the standard way to build apps that integrate with your data in the Microsoft cloud. Registering your app in Microsoft Entra simplifies deployment and adoption, makes permissions clearly visible, and helps to standardize your integrated applications.

How Does This Affect Me?

All apps must have an App Registration, and when using Application permissions (not Delegated), the app must use a secure credential for access.

When using EWS, grant scoped access using RBAC for Apps.

Better yet, use Graph, as EWS is going away!

How Do I Find Accounts Using This Type of Access and What Actions Should I Take?

Use Exchange Online PowerShell to check for accounts that have been assigned the ApplicationImpersonation role:

Get-ManagementRoleAssignment -Role ApplicationImpersonation -GetEffectiveUsers -Delegating:$false

Update:

You can also use the sample ApplicationImpersonation reporting script that is posted on GitHub here.

This script produces a report of Microsoft 365 3rd party EWS applications using accounts that have the ApplicationImpersonation RBAC role assigned. This script will help provide you with the impacted App Ids and the accounts in use by these applications that are performing EWS Impersonation. You can then use this information to approach your application owners and work with them to migrate to using RBAC for Applications.

For EWS applications requiring 1 to many mailbox access, ensure the application is configured properly with OAuth to use App-only access.

Implement resource-scoped access using Role Based Access Control for Applications in Exchange Online to control mailbox access as needed for your scenario.

The Exchange Online Team

Updated Nov 22, 2024
Version 12.0