Published Feb 23, 2024
The RBAC Application Impersonation role in Exchange Online is retiring, with the process starting in September 2024 and completion in February 2025. Applications must be updated to avoid disruption, using App Registration and Application permissions. For guidance, visit the provided links.
Updated November 8, 2024: We are following up on our previous announcement regarding the retirement of the ApplicationImpersonation Role Based Access Control (RBAC) role in Exchange Online. As the February 2025 deprecation date is approaching, it is important to follow the guidance in this Message Center post and take action now to ensure applications in your tenant are not using this feature. After this date, applications using this feature that are not updated will no longer work. For additional information, please go to: https://aka.ms/applicationimpersonationdeprecation
We are announcing the retirement of the ApplicationImpersonation Role Based Access Control (RBAC) role in Exchange Online.
When this will happen:
We will begin the retirement in September 2024 (previously May) and in February 2025 will remove this role and its feature set from Exchange Online.
How this will affect your organization:
You are receiving this message because this RBAC role is commonly used with Exchange Web Services (EWS) to enable one-to-many mailbox access. We are removing this feature and will begin blocking the assignment of the ApplicationImpersonation (RBAC) role to accounts.
This will require all apps to have an App Registration, use Application permissions (not Delegated), and use a secure credential for access. Despite this change, if your app is granted the full_access_as_app Application permission, it will provide the same level of mailbox access as the ApplicationImpersonation RBAC role.
What you need to do to prepare:
Review your current configuration and make changes as appropriate to minimize disruption to your service.
For more information, please see: