[ad_1]
Today we are announcing that we will begin blocking the assignment of the ApplicationImpersonation role in Exchange Online to accounts starting in May 2024, and that in February 2025, we will completely remove this role and its feature set from Exchange Online.
Historically, when you needed to grant an application access to more than its own mailbox in your Exchange organization using Exchange Web Services (EWS), you had limited options.
Simple delegation worked for one-to-one and even some one-to-few scenarios, but when you needed to grant access to many mailboxes, Impersonation was the way to go. Impersonation provided easy and broad access to many mailboxes, but limited options for scoping resources for access, and limited visibility outside of Exchange.
Today, the Microsoft identity platform / application model is the standard way to build apps that integrate with your data in the Microsoft cloud. Registering your app in Microsoft Entra simplifies deployment and adoption, makes permissions clearly visible, and helps to standardize your integrated applications.
All apps must have an App Registration, and when using Application permissions (not Delegated), the app must use a secure credential for access.
When using EWS, grant scoped access using RBAC for Apps.
Better yet, use Graph, as EWS is going away!
How Do I Find Accounts Using This Type of Access and What Actions Should I Take?
Use Exchange Online PowerShell to check for accounts that have been assigned the ApplicationImpersonation role:
Get-ManagementRoleAssignment -Role ApplicationImpersonation -GetEffectiveUsers
For EWS applications requiring 1 to many mailbox access, ensure the application is configured properly with OAuth to use App-only access.
Implement resource-scoped access using Role Based Access Control for Applications in Exchange Online to control mailbox access as needed for your scenario.
The Exchange Online Team
[ad_2]
Source link
