Upcoming Secure by Default Settings Changes for Exchange and Teams APIs [MC1163922]

Upcoming Secure by Default Settings Changes for Exchange and Teams APIs [MC1163922]

Message ID: MC1163922

As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the “Secure by Default” principle, we are updating the Microsoft-managed default consent policy in Microsoft 365 Graph to align with Microsoft’s ongoing security improvements, help you to meet industry best practices, and harden your tenant’s security posture. These changes enable admins to better control third-party app access for Exchange and Teams content.

This is the next step in a broader effort to evaluate and evolve Microsoft 365 defaults through the lens of SFI. This update follows our recent SharePoint and OneDrive changes that blocked legacy protocols and required admin consent for third-party apps accessing files and sites. The Exchange and Teams updates are a continuation of this same approach. admin consent for third-party apps accessing files and sites. The Exchange and Teams updates are a continuation of this same approach.

[When this will happen:]

These changes will begin rolling out by end of October 2025 and are expected to be completed by late-November 2025.

[How this affects your organization:]

The following settings will be updated:

ChangeImpact
Require admin consent for apps accessing Exchange and Teams content For customers using the Microsoft-managed default consent policy, admin approval will be required for third-party apps accessing Exchange and Teams content via Microsoft Graph, Exchange Web Services (EWS), Exchange ActiveSync (EAS), POP3, and IMAP4.

To preserve end-user experience, some Exchange email clients are exempted from this change. Administrators can review and modify as noted below.

These changes will be reflected as an update to the Microsoft-managed default consent policy. With this change, any organization using the Microsoft-managed user consent policy will require admin consent for Mail, Teams Chat and Meetings functionality across various protocols. Learn more about Graph permissions.

  • Organizations using other user consent policies will not be affected.
  • These changes will not require additional licensing.

[What you can do to prepare:]

We recommend the following actions:

  • Assess current configurations: Review existing third-party applications that access Exchange mail, calendar, contacts, and Teams chat/meetings data.
    • If you already intend to allow user consent for certain third-party apps, we recommend that you create granular app access policies in advance, so those apps remain usable without interruption (Manage app consent policies, Configure how users consent to applications)
    • If you are already using another consent policy that covers applications that will be impacted by this change and are satisfied with the policy, no changes are required from your end.
  • Configure Admin Consent workflow: If your organization relies on third-party apps for Exchange or Teams, set up the workflow (Configuring admin consent workflow); it will enable users to send a request to your global or app admin(s) to approve use of an application for users. Otherwise, potential users will not have an option to request admin approval.
  • Notify stakeholders: Inform IT admins, app owners, and security teams about the upcoming changes.
  • Update documentation: Ensure internal processes and app onboarding guidance reflect the new defaults and the admin consent process.

Additional considerations:

Does the change alter how existing customer data is processed and stored?

  • No, it doesn’t change how data is processed or stored.

Does the change alter how existing customer data is accessed?

  • Yes, moving forward only admins may approve access for the set of permissions outlined above. Users cannot grant consent to third-party applications that access Exchange and Teams data via delegated permissions.

What is the impact on existing applications?

  • Users who have already granted consent to an app can continue to use it without interruption. New users, or apps requesting new or broader permissions, will require admin approval before they can be used. This ensures that only applications explicitly validated by the admin(s) can gain new access moving forward.

Source: Microsoft

Latest Posts

Pass It On
Show 2 Comments

2 Comments

  1. Whoa, hold onto your hats, folks! Looks like Microsoft is once again rearranging the furniture in the digital playground, specifically targeting Exchange and Teams APIs. We’re talking admin consent for third-party apps – a move that’s going to make IT admins feel like they’re back in charge of the neighborhood watch, but this time for email and Teams data.

    The rollout is set for the end of October, which gives us just enough time to panic and update our workflows. For those using the Microsoft-managed default consent policy, get ready to approve apps like they’re going out of style. But hey, some email clients are getting a pass – because not everything can be high-tech all the time.

    Organizations using other consent policies should probably relax, unless they enjoy a good surprise. And no, this doesn’t require additional licensing – because why would it?

    In all seriousness, it’s good to see Microsoft tightening the screws on data security. Just make sure your admins have enough coffee to handle the increased workload. Stay ahead of the game, and let’s hope these changes don’t turn into a new game of Guess Which App Gets the Green Light.grow a garden calculator

    • Mike

      Absolutely nailed it — this update does feel like Microsoft handing the keys back to IT admins, but with a few extra locks to manage! The shift to requiring admin consent for third-party apps accessing Exchange and Teams APIs is a big deal, especially for orgs relying on automation or integrations that previously flew under the radar.
      You’re right — the Microsoft-managed default consent policy users will need to start approving apps more proactively, and while some email clients are exempt, it’s definitely a moment to audit what’s in use and what’s accessing sensitive data.
      For orgs using custom consent policies, it’s less urgent, but still worth reviewing to avoid surprises. And yes — no extra licensing needed, which is a rare win!
      This move aligns with Microsoft’s broader Secure by Default push, and while it might mean more admin overhead short-term, it’s a solid step toward better data governance. Just make sure your IT team has a good dashboard, a strong coffee, and maybe a few extra hours blocked off in October.
      Thanks for the great comment — it’s always refreshing to see security updates discussed with humour and insight!

Leave a Reply

Your email address will not be published. Required fields are marked *