Microsoft 365 Message Center Archive

MC1163922 - Upcoming Secure by Default Settings Changes for Exchange and Teams APIs

Message ID

MC1163922

View in Message Center

Service

Exchange Online
Microsoft Teams

Published

Oct 2, 2025

Tag

Major change
User impact
Admin impact

Summary

Starting late October to November 2025, Microsoft will require admin consent for third-party apps accessing Exchange and Teams content via Microsoft-managed default consent policy. This enhances security by restricting user consent, affecting new app permissions but not existing approved apps. Admins should review app access and configure consent workflows accordingly.

More information

As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the “Secure by Default" principle, we are updating the Microsoft-managed default consent policy in Microsoft 365 Graph to align with Microsoft’s ongoing security improvements, help you to meet industry best practices, and harden your tenant’s security posture. These changes enable admins to better control third-party app access for Exchange and Teams content.

This is the next step in a broader effort to evaluate and evolve Microsoft 365 defaults through the lens of SFI. This update follows our recent SharePoint and OneDrive changes that blocked legacy protocols and required admin consent for third-party apps accessing files and sites. The Exchange and Teams updates are a continuation of this same approach. admin consent for third-party apps accessing files and sites. The Exchange and Teams updates are a continuation of this same approach.

When this will happen:

These changes will begin rolling out by end of October 2025 and are expected to be completed by late-November 2025.

How this affects your organization:

The following settings will be updated:

Change Impact
Require admin consent for apps accessing Exchange and Teams content  For customers using the Microsoft-managed default consent policy, admin approval will be required for third-party apps accessing Exchange and Teams content via Microsoft Graph, Exchange Web Services (EWS), Exchange ActiveSync (EAS), POP3, and IMAP4.

To preserve end-user experience, some Exchange email clients are exempted from this change. Administrators can review and modify as noted below.

These changes will be reflected as an update to the Microsoft-managed default consent policy. With this change, any organization using the Microsoft-managed user consent policy will require admin consent for Mail, Teams Chat and Meetings functionality across various protocols. Learn more about Graph permissions.

  • Organizations using other user consent policies will not be affected.
  • These changes will not require additional licensing.

What you can do to prepare:

We recommend the following actions:

  • Assess current configurations: Review existing third-party applications that access Exchange mail, calendar, contacts, and Teams chat/meetings data.
    • If you already intend to allow user consent for certain third-party apps, we recommend that you create granular app access policies in advance, so those apps remain usable without interruption (Manage app consent policies, Configure how users consent to applications)
    • If you are already using another consent policy that covers applications that will be impacted by this change and are satisfied with the policy, no changes are required from your end.
  • Configure Admin Consent workflow: If your organization relies on third-party apps for Exchange or Teams, set up the workflow (Configuring admin consent workflow); it will enable users to send a request to your global or app admin(s) to approve use of an application for users. Otherwise, potential users will not have an option to request admin approval.
  • Notify stakeholders: Inform IT admins, app owners, and security teams about the upcoming changes.
  • Update documentation: Ensure internal processes and app onboarding guidance reflect the new defaults and the admin consent process.

Additional considerations:

Does the change alter how existing customer data is processed and stored?

  • No, it doesn’t change how data is processed or stored.

Does the change alter how existing customer data is accessed?

  • Yes, moving forward only admins may approve access for the set of permissions outlined above. Users cannot grant consent to third-party applications that access Exchange and Teams data via delegated permissions.

What is the impact on existing applications?

  • Users who have already granted consent to an app can continue to use it without interruption. New users, or apps requesting new or broader permissions, will require admin approval before they can be used. This ensures that only applications explicitly validated by the admin(s) can gain new access moving forward.