check before: 2025-11-01
Product:
Exchange, Microsoft 365 Apps, Microsoft 365 suite, Stream
Platform:
Developer, Mac, Online, Web, Windows Desktop, World tenant
Status:
In development
Change type:
New feature, User impact, Admin impact
Links:
Details:
Summary:
Microsoft Exchange Online will enable admins to assign the SMTP.SendAsApp role to applications via App RBAC, allowing group-based or scoped mailbox access. This replaces manual per-mailbox permissions, simplifying OAuth SMTP client onboarding. Rollout begins November 2025, with no end-user impact. Prepare by planning group-based access and updating documentation.
Details:
[Introduction]
We're simplifying how organizations grant applications permission to send email on behalf of mailboxes. Today, customers must manually assign permissions to each individual mailbox using PowerShell, which is time-consuming and inefficient. With this new capability, admins can assign the SMTP.SendAsApp role to an app through App Role-Based Access Control (RBAC), enabling group-based or scoped access to mailboxes. This simplifies onboarding for SMTP clients using OAuth and provides a scalable, secure, and modern approach to managing mailbox access.
This message is associated with Microsoft 365 Roadmap ID 498356.
[When this will happen:]
General Availability (Worldwide): We will begin rolling out early November 2025 and expect to complete by late November 2025.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
General Availability, Preview
Created:
2025-09-25
updated:
2025-09-25
Public Preview Start Date
XXXXXXX ... free basic plan only
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
linked item details
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Change Management
Without proper preparation, admins may face difficulties in transitioning from per-mailbox permissions to group-based RBAC assignments, leading to potential access issues for applications that rely on SMTP.
- roles: IT Admins, Support Teams
- references: https://learn.microsoft.com/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=498356
Documentation and Training
Failure to update internal documentation and communicate changes may result in confusion among support teams, leading to increased support tickets and user frustration.
- roles: Helpdesk Staff, IT Admins
- references: https://learn.microsoft.com/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=498356
Configutation Options**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
Microsoft Exchange Online is introducing a change that will make it easier for organizations to manage how applications send emails on behalf of users. Imagine you're running a law firm, and you have to give access to each lawyer individually to a specific file. Currently, you would need to walk to each lawyer's office and hand them a key to the file cabinet. This is similar to how admins have been assigning email permissions—one mailbox at a time, which can be quite tedious.
With the new update, it's like having a master key that can open all the necessary file cabinets for a group of lawyers at once. Instead of assigning permissions to each mailbox individually, admins can now use a system called App Role-Based Access Control (RBAC). This allows them to give a group of applications the ability to send emails on behalf of users, all at once. It's like creating a special access group for all the lawyers who need to see the same file, saving time and effort.
This change will start rolling out in November 2025 and will not affect the end-users, meaning the lawyers won't notice any difference in how they access their emails. For those managing these permissions, it's a more efficient and secure way to handle access, much like using a digital lock system instead of individual keys.
Organizations should prepare by planning which groups need access and updating any internal guides on how permissions are managed. This update is designed to streamline processes and make managing email permissions as straightforward as managing access to shared resources in an office.
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
Last updated 3 weeks ago
