Microsoft Exchange Online Adds Support for Role Based Access Control for Applications

Cloud Computing

Microsoft has introduced role-based access control (RBAC) support for applications in Exchange Online. The new security feature brings a new set of “resource-scoped permissions” to help organizations better protect access to email, contacts, and calendar data.

The role-based access control model was first introduced in Exchange 2010 and it is used in Exchange Server and Exchange Online. It allows IT admins to manage and delegate permissions for Exchange administrative tasks. Role-based access control is particularly useful for organizations that work with third parties and contractors which makes it harder to monitor network access.

“RBAC for Applications allows admins to grant permissions using a role assignment to an application that accesses Exchange Online data without user involvement. Admins can limit the data an application can access using a resource scope. This feature extends our current RBAC model and will replace the current Application Access Policy feature,” the Exchange Online team explained.

The role assignment configuration allows IT Pros to define the scope of an app/Service Principal to perform any action against some resources. For instance, a room booking system is allowed to access calendar data in select geographical regions.

Microsoft Exchange Online Now Supports Role Based Access Control for Applications

RBAC for applications in Exchange Online to hit GA In 2023

Microsoft added that the RBAC for applications feature is available in preview for enterprise customers, and it is expected to hit general availability in H1 2023. Currently, IT admins can use Exchange Online PowerShell for management tasks, with support for the Azure Active Directory admin center and Microsoft Graph PowerShell to be added in the coming months.

It is important to note that IT admins will need to manually create Service Principal for apps in Exchange Online. Microsoft plans to improve the user experience with an automated process when the RBAC for applications feature becomes generally available for everyone.

Moreover, Microsoft will deprecate application access policies because RBAC for apps lets administrators grant constrained permissions directly within Exchange Online. The company will also release a unified management experience for application permissions next year.