Application Impersonation RBAC Role is Deprecated in Exchange Online
Microsoft announced the deprecation of the Application Impersonation role in Exchange Online, a move aimed at enhancing security within the platform. This role, traditionally used to grant applications broad access to multiple mailboxes, is being phased out due to its extensive permissions and potential security risks. The deprecation process is as follows:
- May 2024: New assignments of the Application Impersonation role will be blocked.
- February 2025: Complete removal of the Application Impersonation role and its feature set from Exchange Online.
What to do now
Mark, our BitTitan migration expert, has created a tutorial video so you can learn the new steps for assigning access control for your migration. The video begins with setting up endpoints for a MigrationWiz project that involves Microsoft 365 at the source and/or the destination. Then, you’ll see how to use PowerShell to create the management scope, create a new service principle, and assign the management role. After assigning API application permissions and creating a new one-time ‘client secret’ password, you’re ready to proceed with your migration.
Be Ready for the Change
From February 2025, Microsoft has started the depreciation process to remove the Application Impersonation role from O365. Exchange On-premises and Hosted Exchange are not affected by these changes. For further information please see this article.
If you are currently using Application Impersonation for your migrations, it’s only a matter of time before this method becomes obsolete and stops functioning. It is highly recommended that you switch to using the new API permission process to avoid delays in your project due to permission failures.
For MigrationWiz users, this change necessitates a transition to alternative authentication methods to ensure uninterrupted service. MigrationWiz has been proactive in addressing this shift by adopting new APIs that eliminate the need for the Application Impersonation role. Users are advised to utilize PowerShell scripts provided by MigrationWiz to enable these new authentication methods. This approach not only aligns with Microsoft’s security enhancements but also removes the previous requirement of using Global Admin accounts with RBAC Impersonation.
As always, BitTitan also supports your migrations with meticulous documentation. A Knowledge Base article has already been written to guide you through the changes to application impersonation. You can read it here, and use it as a companion for your next Microsoft 365 migration: Replacement to the Retirement of Role-Based Access Control for Applications in Exchange Online.
Contact us if you have questions or need help with a migration. You and your team can learn from any of the videos in our expanding tutorial library, any time.