Retirement of RBAC Application Impersonation in Exchange Online

Per Microsoft's announcement, The RBAC role “Application Impersonation” is retiring in Exchange Online by February 2025. Customers are required to implement alternative solutions such as “Application Registrations” (oAuth) in Azure and move away from the RBAC role of “Application Impersonation”.

What will be the impact if the administrators don’t implement the App Registrations and not move away from the RBAC role of “Application Impersonation” in Exchange Online?
Once the RBAC Role “Application Impersonation” is retired in Exchange Online, the apps that are dependent on the role will no longer work.

What actions should Administrators take to avoid the impact due to the retirement of the RBAC role “Application Impersonation”?
Administrators are required to implement alternative solutions such as “Application Registration” (oAuth) in Azure to move away from the traditional RBAC method “Application Impersonation”.

How can Administrators report on the usage of the RBAC role “Application Impersonation”?

• Administrators can review the accounts added to the “Application Impersonation” role in the Exchange Online Admin center by navigating to “Admin Roles”.
• Administrators can run the following cmdlet in Exchange Online PowerShell to get the list of user accounts using the “Application Impersonation” roles.

Get-ManagementRoleAssignment -Role ApplicationImpersonation -GetEffectiveUsers

Helient strongly recommends that customers update the applications using the RBAC role “Application Impersonation” to the oAuth method “Application Registration” in Azure. If you would like more information or assistance in updating the Applications to the oAuth configuration, please contact our industry-leading experts at service@helient.com.