MC1158911: Microsoft Exchange Online | SMTP onboarding to App RBAC
Microsoft Exchange Online will enable admins to assign the SMTP.SendAsApp role to applications via App RBAC, allowing group-based or scoped mailbox access. This replaces manual per-mailbox permissions, simplifying OAuth SMTP client onboarding. Rollout begins November 2025, with no end-user impact...
Introduction]
We're simplifying how organizations grant applications permission to send email on behalf of mailboxes. Today, customers must manually assign permissions to each individual mailbox using PowerShell, which is time-consuming and inefficient. With this new capability, admins can assign the SMTP.SendAsApp role to an app through App Role-Based Access Control (RBAC), enabling group-based or scoped access to mailboxes. This simplifies onboarding for SMTP clients using OAuth and provides a scalable, secure, and modern approach to managing mailbox access.
This message is associated with Microsoft 365 Roadmap ID 498356.
[When this will happen:
- General Availability (Worldwide): We will begin rolling out early November 2025 and expect to complete by late November 2025.
[How this affects your organization:]
Who is affected:
- Admins managing SMTP AUTH clients using OAuth in Exchange Online.
What will happen:
- Admins can assign the SMTP.SendAsApp role to applications via App RBAC.
- This enables group-based or scoped access to mailboxes.
- Eliminates the need for per-mailbox permission assignments.
- Streamlines onboarding for SMTP clients using OAuth.
- No changes to end-user experience.
What you can do to prepare:
- Prepare to create security or distribution groups for mailboxes requiring access.
- Plan for migration from per-mailbox permissions to group-based RBAC assignments.
- Communicate this change to your helpdesk or support teams.
- Update internal documentation if you currently detail mailbox permission onboarding.
- Review onboarding documentation: Authenticate an IMAP, POP or SMTP connection using OAuth | Microsoft Exchange | Microsoft Learn (https://learn.microsoft.com/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth)
- Documentation will be updated November 1st
[Compliance considerations:]
No compliance considerations identified, review as appropriate for your organization.