MC1163922 – Upcoming Secure by Default Settings Changes for Exchange and Teams APIs (archived)

Product:

Exchange, Microsoft Graph, OneDrive, SharePoint, Teams

Platform:

Developer, Online, Web, World tenant

Status:

Change type:

User impact, Admin impact

Links:

Details:

Summary:
Starting late October to November 2025, Microsoft will require admin consent for third-party apps accessing Exchange and Teams content via Microsoft-managed default consent policy. This enhances security by restricting user consent, affecting new app permissions but not existing approved apps. Admins should review app access and configure consent workflows accordingly.

Details:
As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the "Secure by Default" principle, we are updating the Microsoft-managed default consent policy in Microsoft 365 Graph to align with Microsoft's ongoing security improvements, help you to meet industry best practices, and harden your tenant's security posture. These changes enable admins to better control third-party app access for Exchange and Teams content.
This is the next step in a broader effort to evaluate and evolve Microsoft 365 defaults through the lens of SFI. This update follows our recent SharePoint and OneDrive changes that blocked legacy protocols and required admin consent for third-party apps accessing files and sites. The Exchange and Teams updates are a continuation of this same approach. admin consent for third-party apps accessing files and sites. The Exchange and Teams updates are a continuation of this same approach.
[When this will happen:]
These changes will begin rolling out by end of October 2025 and are expected to be completed by late-November 2025.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2025-10-02

updated:
2025-10-02

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Admin Consent Requirement
Admins will need to approve all new third-party app access to Exchange and Teams content, potentially delaying app integration and usage.
   - roles: IT Admins, App Owners
   - references: https://learn.microsoft.com/entra/identity/enterprise-apps/manage-application-permissions?pivots=portal, https://learn.microsoft.com/en-us/graph/permissions-reference?view=graph-rest-1.0

User Experience Disruption
Users may experience interruptions in accessing new third-party applications if admin consent is not obtained in a timely manner.
   - roles: End Users, IT Support
   - references: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow, https://www.microsoft.com/trust-center/security/secure-future-initiative

Increased Administrative Workload
IT admins will face increased workload to review and manage app permissions and consent workflows, impacting their availability for other tasks.
   - roles: IT Admins, Security Teams
   - references: https://learn.microsoft.com/entra/identity/enterprise-apps/manage-app-consent-policies?pivots=ms-graph, https://learn.microsoft.com/entra/identity/enterprise-apps/configure-user-consent?pivots=portal

Potential App Access Delays
New users or apps requesting broader permissions will face delays in access until admin approval is granted, affecting productivity.
   - roles: End Users, App Owners
   - references: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/manage-application-permissions?pivots=portal, https://learn.microsoft.com/en-us/graph/permissions-reference?view=graph-rest-1.0

Need for Updated Documentation
Organizations will need to update internal documentation and processes to reflect the new consent requirements, which may lead to confusion if not communicated effectively.
   - roles: IT Admins, Training Teams
   - references: https://learn.microsoft.com/entra/identity/enterprise-apps/configure-admin-consent-workflow, https://www.microsoft.com/trust-center/security/secure-future-initiative

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Enhanced Security Management
The requirement for admin consent for third-party apps accessing Exchange and Teams content provides an opportunity to enhance security management within the organization. By implementing stricter controls on app permissions, organizations can reduce the risk of unauthorized access to sensitive data.
   - next-steps: Conduct a comprehensive review of existing third-party applications to identify those requiring admin consent and establish new access policies for future applications.
   - roles: IT Administrators, Security Teams, Compliance Officers
   - references: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/manage-application-permissions?pivots=portal, https://www.microsoft.com/trust-center/security/secure-future-initiative

Streamlined App Approval Process
Configuring an admin consent workflow allows for a more efficient app approval process, where users can request access to necessary applications. This can enhance user experience by minimizing downtime and ensuring that users have the tools they need to perform their jobs effectively.
   - next-steps: Set up the admin consent workflow to enable users to send requests for app access and ensure that IT admins are informed and trained on the new process.
   - roles: IT Administrators, End Users, Application Owners
   - references: https://learn.microsoft.com/entra/identity/enterprise-apps/configure-admin-consent-workflow, https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/manage-app-consent-policies?pivots=ms-graph

Improved Documentation and Training
Updating internal documentation and processes to reflect the new consent requirements will improve clarity and training for both IT staff and end users. This ensures that everyone understands the new procedures and the rationale behind them, leading to better compliance and fewer support requests.
   - next-steps: Revise internal documentation and conduct training sessions for IT staff and end users on the new consent processes and security policies.
   - roles: IT Administrators, Training Coordinators, End Users
   - references: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent?pivots=portal, https://learn.microsoft.com/en-us/graph/permissions-reference?view=graph-rest-1.0

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

Microsoft is implementing changes to enhance security for Exchange and Teams by requiring admin consent for third-party apps. Think of it like adding a security gate to a community. Previously, residents (users) could let visitors (apps) in on their own. Now, the community board (admins) needs to approve these visitors to ensure they’re safe and trustworthy.

This change means that any new third-party app wanting to access Exchange or Teams content will need to get approval from an admin. However, apps that have already been approved by users can continue to operate without interruption. This is similar to how existing residents' friends can still visit without needing new permission.

For organizations, this means reviewing which apps currently have access and setting up a process for users to request admin approval for new apps. This ensures that only vetted and necessary apps can access sensitive information, much like a security team reviewing who gets access to a building.

Admins should prepare by assessing current app configurations and setting up workflows to handle approval requests. This preparation will help maintain smooth operations and ensure that necessary apps remain accessible while keeping security tight.