Microsoft Previews Role-Based Access Control for Apps in Exchange Online
Microsoft on Thursday announced a public preview of Role-Based Access Control (RBAC) for Applications in Exchange Online.
RBAC for Applications in Exchange Online allows IT pros to set permission controls (called "Management Scopes") for applications that are accessing Exchange Online capabilities. These applications typically access "Exchange Online data without user involvement," the announcement explained.
With this scheme enabled by the preview, IT pros can set up "Admin Units" to specify particular users, groups or devices as part of this approach. "Service Principals" is Microsoft's term that refers to "an instance of an application within your tenant."
The roles getting controlled have names like "Application Mail.Read," which is a Microsoft Graph protocol that lets an application "read email in all mailboxes without a signed-in user."
Such terms and concepts for using RBAC for Applications in Exchange Online can be found is this Microsoft document.
Application Access Policies Deprecation
Microsoft already has Application Access Policies capability, which lets IT pros do the same kind of scoping for apps accessing Exchange Online capabilities. However, RBAC for Applications in Exchange Online is conceived as replacing Application Access Policies.
That change will happen when RBAC for Applications in Exchange Online reaches the "general availability" commercial-release stage, which is expected to occur in "H1 2023."
Organizations can continue to use Application Access Policies concurrently with the RBAC for Applications for Exchange Online preview. However, Microsoft is eventually going to "deprecate" (stop developing) Application Access Policies.
Here's how the announcement described it:
Application Access Policies and RBAC for Applications are compatible for side-by-side use, though our intention is to deprecate Application Access Policies after RBAC for Applications becomes GA.
More Granular Controls
There was no specific indication in the announcement about why Microsoft plans to replace Application Access Policies with RBAC for Applications in Exchange Online.
However, the announcement generally characterized the granting of app-only permissions as having been too "course grained." Microsoft suggested that application access gets "granted at a tenant-wide resource scope which leads to over-privileged applications."
Presumably, RBAC for Applications in Exchange Online would better address the problem of overprivileged apps. Its scoped access enables least-privileged access to data for e-mail, contacts, and calendar solutions used with the Exchange Online service, the announcement suggested.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.