End of the ApplicationImpersonation role in Exchange Online: Everything you need to know

Since September 2024, Microsoft has blocked the use of the ApplicationImpersonation role in Exchange Online, and from February 2025 it will be completely abolished. Applications that use this function should be switched to modern alternatives in good time.

What is the ApplicationImpersonation role?

The ApplicationImpersonation role enables applications to access mailboxes on behalf of a user without the user being actively logged in. Common areas of use are:

• Archiving tools that back up emails from multiple mailboxes.

• CRM systems that integrate email data.

• Automated processes, such as email forwarding or calendar management.

This function is based on the outdated Exchange Web Services (EWS) API, which is being replaced by the more modern Microsoft Graph API.

Why is it being abolished?

The abolition is taking place for several reasons:

• Security improvement: The ApplicationImpersonation role offers little control over mailbox access and actions.

• Increased transparency: With Role-Based Access Control (RBAC), permissions can be managed in a more targeted and traceable manner.

• More flexible administration: The Graph API enables more granular permission control and easier administration.

What does this mean?

As of September 2024, no new permissions can be granted with the ApplicationImpersonation role. From February 2025, existing applications that rely on this role will lose their access. The switch to OAuth-based authentication and the Microsoft Graph API will be necessary. RBAC replaces the previous authorization structures and offers precise control options.

What steps are necessary?

1. Analysis of the existing configuration:
   PowerShell can be used to check which accounts are currently using the ApplicationImpersonation role. A script available on GitHub helps identify affected applications and app IDs.

2. Migration to modern technologies:
   The switch to OAuth and Microsoft Graph API ensures future-proof and secure administration.

3. Setting up RBAC:
   Access rights can be defined granularly and transparently.

Summary

The ApplicationImpersonation role will be deactivated shortly. The switch to the Microsoft Graph API and RBAC not only offers more security, but also simpler and more transparent administration.