MC1158911 – Microsoft Exchange Online | SMTP onboarding to App RBAC (archived)

Product:

Exchange, Microsoft 365 Apps, Microsoft 365 suite, Stream

Platform:

Developer, Mac, Online, Web, Windows Desktop, World tenant

Status:

Launched

Change type:

New feature, User impact, Admin impact

Links:

498356

Details:

Summary:
Microsoft Exchange Online will enable admins to assign the SMTP.SendAsApp role to applications via App RBAC, allowing group-based or scoped mailbox access. This replaces manual per-mailbox permissions, simplifying OAuth SMTP client onboarding. Rollout begins November 2025, with no end-user impact. Prepare by planning group-based access and updating documentation.

Details:
[Introduction]
We're simplifying how organizations grant applications permission to send email on behalf of mailboxes. Today, customers must manually assign permissions to each individual mailbox using PowerShell, which is time-consuming and inefficient. With this new capability, admins can assign the SMTP.SendAsApp role to an app through App Role-Based Access Control (RBAC), enabling group-based or scoped access to mailboxes. This simplifies onboarding for SMTP clients using OAuth and provides a scalable, secure, and modern approach to managing mailbox access.
This message is associated with Microsoft 365 Roadmap ID 498356.
[When this will happen:]
General Availability (Worldwide): We will begin rolling out early November 2025 and expect to complete by late November 2025.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:
General Availability, Preview

Created:
2025-09-25

updated:
2025-09-25

Public Preview Start Date

XXXXXXX ... free basic plan only

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

linked item details

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

SMTP Client Onboarding Process
Without proper preparation, the transition to App RBAC for SMTP onboarding may lead to confusion and delays in granting necessary permissions to applications, resulting in potential service disruptions for users relying on email functionalities.
   - roles: IT Admins, Helpdesk Support
   - references: https://learn.microsoft.com/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=498356

Documentation and Communication Gaps
Failure to update internal documentation and communicate changes to support teams may result in inconsistent application of new permissions, leading to user frustration and increased support tickets due to lack of clarity on the new onboarding process.
   - roles: IT Admins, Helpdesk Support
   - references: https://learn.microsoft.com/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=498356

Configutation Options**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

Microsoft Exchange Online is introducing a new way for administrators to manage how applications send emails on behalf of mailboxes. Imagine you're organizing a large event and need to give access to a venue. Previously, you had to hand out individual keys to each person attending, which was time-consuming and prone to errors. Now, you can simply create a list of attendees and give the venue a single key that works for everyone on that list. This new method is similar to what Microsoft is doing with mailbox access.

Currently, admins need to manually assign permissions to each mailbox, much like handing out individual keys. This process can be cumbersome and inefficient. With the new system, admins can assign a role called SMTP.SendAsApp to an application, allowing it to access mailboxes based on groups or specific criteria, much like using a single key for a group of people. This approach not only saves time but also enhances security and scalability.

This change will begin rolling out in November 2025 and will not affect end users directly. However, admins should prepare by organizing mailboxes into groups and updating any internal documentation that explains how mailbox permissions are managed. It's also a good idea to inform support teams about this change so they can assist if needed.

In summary, this update simplifies the process of granting applications permission to send emails, making it more efficient and secure. Just like moving from individual keys to a master key for group access, this change streamlines operations and reduces the potential for errors.