MC1158911 - Microsoft Exchange Online | SMTP onboarding to App RBAC

Message ID

MC1158911

View in Message Center

Service

Exchange Online

Microsoft 365 suite

Published

Sep 24, 2025

Tag

New feature

User impact

Admin impact

Roadmap ID

498356

View in M365 Roadmap

Platforms

Desktop

Mac

Web

Summary

Microsoft Exchange Online will enable admins to assign the SMTP.SendAsApp role to applications via App RBAC, allowing group-based or scoped mailbox access. This replaces manual per-mailbox permissions, simplifying OAuth SMTP client onboarding. Rollout begins November 2025, with no end-user impact. Prepare by planning group-based access and updating documentation.

More information

Introduction

We're simplifying how organizations grant applications permission to send email on behalf of mailboxes. Today, customers must manually assign permissions to each individual mailbox using PowerShell, which is time-consuming and inefficient. With this new capability, admins can assign the SMTP.SendAsApp role to an app through App Role-Based Access Control (RBAC), enabling group-based or scoped access to mailboxes. This simplifies onboarding for SMTP clients using OAuth and provides a scalable, secure, and modern approach to managing mailbox access.

This message is associated with Microsoft 365 Roadmap ID 498356.

When this will happen:

General Availability (Worldwide): We will begin rolling out early November 2025 and expect to complete by late November 2025.

How this affects your organization:

Who is affected:

Admins managing SMTP AUTH clients using OAuth in Exchange Online.

What will happen:

Admins can assign the SMTP.SendAsApp role to applications via App RBAC.
This enables group-based or scoped access to mailboxes.
Eliminates the need for per-mailbox permission assignments.
Streamlines onboarding for SMTP clients using OAuth.
No changes to end-user experience.

What you can do to prepare:

Prepare to create security or distribution groups for mailboxes requiring access.
Plan for migration from per-mailbox permissions to group-based RBAC assignments.
Communicate this change to your helpdesk or support teams.
Update internal documentation if you currently detail mailbox permission onboarding.
Review onboarding documentation: Authenticate an IMAP, POP or SMTP connection using OAuth | Microsoft Exchange | Microsoft Learn (https://learn.microsoft.com/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth)

Documentation will be updated November 1^st

Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.