Microsoft 365: SMTP onboarding to App Role Based Access Control

🚨 The Signal: Applications can now send emails using a new App Role-Based Access Control (RBAC) model, simplifying permission assignment from per-mailbox to group-based. This enhances security and scalability for SMTP clients using OAuth.

The Impact

Security teams and Exchange Online admins are affected, with a reduced risk of overly permissive application access to mailboxes.

• Security Teams: Reduced risk from broad application permissions.
• Exchange Online Admins: Streamlined management of application email sending.
• Application Developers: Clearer, more secure method for app integration.
• Auditors: Improved visibility into application access to mailboxes.

The Action

1. Review existing application permissions for SMTP SendAs.
2. Plan migration of legacy per-mailbox permissions to App RBAC.
3. Assign the SMTP.SendAsApp role to applications via Entra ID App Registrations.
4. Implement group-based access for applications requiring SendAs permissions.
5. Monitor application access logs for SendAs activities.

Domain: Entra · Impact: medium · Workload: Exchange Online · Essential Eight: Restrict Administrative Privileges · ISM: ISM-0445, ISM-1175, ISM-1380, ISM-1507, ISM-1508, ISM-1509, ISM-1647, ISM-1648, ISM-1650, ISM-1686, ISM-1688, ISM-1689, ISM-1883, ISM-1897, ISM-1898