The ApplicationImpersonation Role Based Access Control (RBAC) role in Exchange Online will be retired in May 2024 and removed in February 2025. This will affect organizations using Exchange Web Services (EWS) to enable one-to-many mailbox access. Organizations should review their current configuration and make changes as appropriate to minimize disruption to their service. More information can be found at the provided links.
We are announcing the retirement of the ApplicationImpersonation Role Based Access Control (RBAC) role in Exchange Online.
When this will happen:
We will begin the retirement in May 2024 and in February 2025 will remove this role and its feature set from Exchange Online.
How this will affect your organization:
You are receiving this message because this RBAC role is commonly used with Exchange Web Services (EWS) to enable one-to-many mailbox access. We are removing this feature and will begin blocking the assignment of the ApplicationImpersonation (RBAC) role to accounts.
This will require all apps to have an App Registration, use Application permissions (not Delegated), and use a secure credential for access. Despite this change, if your app is granted the full_access_as_app Application permission, it will provide the same level of mailbox access as the ApplicationImpersonation RBAC role.
What you need to do to prepare:
Review your current configuration and make changes as appropriate to minimize disruption to your service.
For more information, please see: