Bits & Bytes

The BitTitan Blog for Service Providers

03/14/2025

Application Impersonation RBAC Role is Deprecated in Exchange Online

Microsoft announced the deprecation of the Application Impersonation role in Exchange Online, a move aimed at enhancing security within the platform. This role, traditionally used to grant applications broad access to multiple mailboxes, is being phased out due to its extensive permissions and potential security risks. The deprecation process is as follows:

  • May 2024: New assignments of the Application Impersonation role will be blocked.
  • February 2025: Complete removal of the Application Impersonation role and its feature set from Exchange Online.

What to do now

Mark, our BitTitan migration expert, has created a tutorial video so you can learn the new steps for assigning access control for your migration. The video begins with setting up endpoints for a MigrationWiz project that involves Microsoft 365 at the source and/or the destination. Then, you’ll see how to use PowerShell to create the management scope, create a new service principle, and assign the management role. After assigning API application permissions and creating a new one-time ‘client secret’ password, you’re ready to proceed with your migration.

Be Ready for the Change

From February 2025, Microsoft has started the depreciation process to remove the Application Impersonation role from O365. Exchange On-premises and Hosted Exchange are not affected by these changes. For further information please see this article.

If you are currently using Application Impersonation for your migrations, it’s only a matter of time before this method becomes obsolete and stops functioning. It is highly recommended that you switch to using the new API permission process to avoid delays in your project due to permission failures.

For MigrationWiz users, this change necessitates a transition to alternative authentication methods to ensure uninterrupted service. MigrationWiz has been proactive in addressing this shift by adopting new APIs that eliminate the need for the Application Impersonation role. Users are advised to utilize PowerShell scripts provided by MigrationWiz to enable these new authentication methods. This approach not only aligns with Microsoft’s security enhancements but also removes the previous requirement of using Global Admin accounts with RBAC Impersonation.

As always, BitTitan also supports your migrations with meticulous documentation. A Knowledge Base article has already been written to guide you through the changes to application impersonation. You can read it here, and use it as a companion for your next Microsoft 365 migration: Replacement to the Retirement of Role-Based Access Control for Applications in Exchange Online.

Contact us if you have questions or need help with a migration. You and your team can learn from any of the videos in our expanding tutorial library, any time.

Related Posts

Unlocking Revenue from M&A: A Guide for MSPs

Unlocking Revenue from M&A: A Guide for MSPs

Unlocking Revenue from M&A: A Guide for MSPs Mergers and acquisitions (M&A) continue to be a significant organizational strategy, especially in industries like healthcare, financial services, and technology. Managed Service Providers (MSPs) with the right...

Related Posts

Unlocking Revenue from M&A: A Guide for MSPs

Unlocking Revenue from M&A: A Guide for MSPs

Unlocking Revenue from M&A: A Guide for MSPs Mergers and acquisitions (M&A) continue to be a significant organizational strategy, especially in industries like healthcare, financial services, and technology. Managed Service Providers (MSPs) with the right...

Register for a FREE BitTitan Account

Create an account now and start planning your project.