Microsoft has announced that it will block the assignment of the ApplicationImpersonation role in Exchange Online to accounts from May 2024, with a total removal of this role and its feature in February 2025. This transition away from Application Impersonation is a part of Microsoft’s strategy to modernize apps’ access across its ecosystem by focusing on security, efficiency, and standardization.
The immediate impact? All apps must have an App Registration and use a secure credential for access when Application permissions are employed.
What is Application Impersonation Mode?
Application Impersonation is a Role-Based Access Control (RBAC) feature in Exchange Online that enables applications to take on the identity of users to access their mailboxes. Essentially, it allows software to perform actions as if they were the user, facilitating tasks such as reading emails, managing calendar appointments, or even sending messages on behalf of the user.
This capability was useful in environments where automated processes need to interact with email data across a range of user accounts, such as during data migration, synchronization of calendars and contacts, or specific business workflows.
What Does This Mean for Microsoft Users?
With Microsoft’s decision to retire App Impersonation, applications will no longer have the ability to access mailboxes in this way. Apparently, Microsoft is shifting towards more modern and secure methods of mailbox access, and technologies like the Microsoft Identity Platform and OAuth protocols will be taking the forefront. These methods provide enhanced security features like improved control over permissions and auditing capabilities.
For end users, this transition means that their mailbox data should be accessed in a more secure and controlled manner, reducing the risk of unauthorized access. Developers and IT professionals will also need to adapt to these new standards to ensure that their applications comply with the latest security practices.
Who Does This Affect?
The phase out of Application Impersonation will primarily impact organizations and developers who have applications that currently depend on it for accessing Exchange Online mailboxes. This applies to a broad range of software, from enterprise-level applications used for managing communication and collaboration within large organizations to specialized tools designed for tasks like customer relationship management, automated reporting, and data backups.
For these entities, the change will require a review and potential redesign of their applications to align with the new access methods.
Is There an Alternative?
Microsoft suggests using the Microsoft Graph API as a viable alternative. For Exchange Web Services (EWS) applications requiring access to multiple mailboxes, OAuth configuration for App-only access is advised.
Microsoft Graph API is a modern interface that offers access to Microsoft 365 services, including mailbox data. It also offers updated security protocols and offers granular control over data access.
For developers, transitioning to the Microsoft Graph API offers a unified and secure approach to interacting with Microsoft services, while for organizations, it provides a reliable way of integrating their systems with Microsoft 365.
Transitioning to Microsoft Graph API
To adapt to this change, developers will need to migrate their applications to use Microsoft Graph API, which offers broad access to Microsoft 365 services.
The following are some steps for making the transition:
- Registering your application in Microsoft Entra.
- Using App-only access with OAuth for securing access.
- Implementing scoped access using Role-Based Access Control for Applications in Exchange Online. See documentation from Microsoft that may help.
