Retirement of RBAC Application Impersonation in Exchange Online
Published Feb 20 2024 01:06 PM 66.5K Views

Update 4/3/2024: We added information about the sample ApplicationImpersonation reporting script.

Today we are announcing that we will begin blocking the assignment of the ApplicationImpersonation role in Exchange Online to accounts starting in May 2024, and that in February 2025, we will completely remove this role and its feature set from Exchange Online.

Modernizing Application Access

Historically, when you needed to grant an application access to more than its own mailbox in your Exchange organization using Exchange Web Services (EWS), you had limited options.

Simple delegation worked for one-to-one and even some one-to-few scenarios, but when you needed to grant access to many mailboxes, Impersonation was the way to go. Impersonation provided easy and broad access to many mailboxes, but limited options for scoping resources for access, and limited visibility outside of Exchange.

Today, the Microsoft identity platform / application model is the standard way to build apps that integrate with your data in the Microsoft cloud. Registering your app in Microsoft Entra simplifies deployment and adoption, makes permissions clearly visible, and helps to standardize your integrated applications.

How Does This Affect Me?

All apps must have an App Registration, and when using Application permissions (not Delegated), the app must use a secure credential for access.

When using EWS, grant scoped access using RBAC for Apps.

Better yet, use Graph, as EWS is going away!

How Do I Find Accounts Using This Type of Access and What Actions Should I Take?

Use Exchange Online PowerShell to check for accounts that have been assigned the ApplicationImpersonation role:

 

Get-ManagementRoleAssignment -Role ApplicationImpersonation -GetEffectiveUsers

 

Update:

You can also use the sample ApplicationImpersonation reporting script that is posted on GitHub here.

This script produces a report of Microsoft 365 3rd party EWS applications using accounts that have the ApplicationImpersonation RBAC role assigned. This script will help provide you with the impacted App Ids and the accounts in use by these applications that are performing EWS Impersonation. You can then use this information to approach your application owners and work with them to migrate to using RBAC for Applications.

For EWS applications requiring 1 to many mailbox access, ensure the application is configured properly with OAuth to use App-only access.

Implement resource-scoped access using Role Based Access Control for Applications in Exchange Online to control mailbox access as needed for your scenario.

The Exchange Online Team

132 Comments
Co-Authors
Version history
Last update:
‎Apr 03 2024 07:28 AM
Updated by: