Retirement of RBAC Application Impersonation in Exchange Online

 

Microsoft has announced changes to Exchange Online that may affect your Robin integration. According to MS, starting May 2024, new assignments of the ApplicationImpersonation role will be blocked. By February 2025, this permission scope will be completely removed.

 

Impact on Your Account:

If your integration uses a service account with individual permission grants per resource calendar:

 

  • From May 2024: You cannot edit or add new scopes.
  • Until February 2025: Existing calendar permissions will remain functional, but no additional scope can be added.
  • Post-February 2025: Impersonation for new resource calendars will not be possible, affecting Robin's access to these calendars.

 

Note: Robin customers using MS Graph API with Robin are not affected by these changes.

 

For more details on this change by Microsoft, visit the Exchange Team Blog here.

 

How do I know if I’m affected?

 

If your organization connects to O365/Exchange Online via a service account with ApplicationImpersonation scoped down to specific calendars then you may be affected by this change from Microsoft. Existing calendars will continue to work until February 2025, but new calendars cannot be added to the scope after May 2024. This will prevent new calendars from working with Robin unless changes are made to your configuration before May 2024.

 

To understand if you are affected you can take these steps within the 365 admin center: 

 

  1. Find the service account you used to connect Robin with your tenant. You will need this as a reference.
  2. Go to roles and role assignments. You will need to know what role you created to assign impersonation to the service account. It should be listed on the service accounts profile.
  3. Within the role assignments choose Exchange and find the role you created for impersonation.
  4. Once you select the role you will see the option to look at permissions assigned to the role. If you search for application impersonation you can see if it is the default or custom assignment. If it shows no custom configuration you are fine. If it has a custom configuration we explain how to fix this next.

 

A correct configuration will look like this:

 

 

A problematic configuration will look like this:

 

You can use Microsoft PowerShell to check the scope of the role that is added to your service account. 

 

Get-ManagementScope "Name of Role"

 



Short Term Fix

 

If your service account has impersonation restrictions and you anticipate adding new calendars to Robin, please remove these restrictions before May 2024. This may be necessary if you are adding new spaces, a new building, or replacing calendars on existing resources. Most customers do not have these restrictions in place. After May 2024 you will not be able to add new scopes.

 

For guidance on removing application impersonation management scopes, refer to this MSFT article.



Migrating to Graph api



Microsoft recommends migrating to Graph API as the long-term solution following their announcement on the depreciation of the ApplicationImpersonation role. Robin is transitioning all Exchange Online customers to Graph API in 2024 for several reasons:

 

  • Application impersonation will be discontinued by February 2025.
  • EWS is being deprecated, with Graph API recommended for all Exchange Online integrations.
  • Graph API provides enhanced control over calendar and mailbox access, offering improved security and access options.

 

Robin is developing a self-service migration assistant to facilitate this transition, with more details to be shared in May 2024.

 

If you need any assistance or have questions, please don’t hesitate to reach out to us.

Did this article help?