As part of its ongoing efforts to strengthen cloud security, Microsoft is introducing a major policy update that will require administrator approval for all new third-party applications seeking access to Exchange and Teams data.
This change, part of Microsoft’s broader Secure Future Initiative, is scheduled to roll out between late October and late November 2025. The update falls under Microsoft’s “Secure by Default” approach, designed to tighten access controls and protect organizational data across Microsoft 365 environments.
What’s Changing and Why It Matters
The core of this update involves changes to the default consent policy managed by Microsoft. Moving forward, any new third-party app requesting access to Exchange or Teams content via APIs such as Microsoft Graph, Exchange Web Services, Exchange ActiveSync, POP3, or IMAP4 will now require explicit administrator approval before access is granted.
This policy does not impact existing apps that users have already authorized. However, if an app requests new permissions or a new user tries to authorize it, the administrator consent process will be triggered.
Organizations that have already implemented custom user consent policies will remain unaffected by this change.
A Consistent Security Approach Across Microsoft 365
This move aligns with previous Microsoft efforts to improve baseline security, including earlier changes to SharePoint and OneDrive, where legacy protocol access was blocked and admin consent was required for file-level third-party access.
By expanding this model to Exchange and Teams, Microsoft continues to harden its platform against potential abuse and unauthorized data access, without requiring customers to purchase additional licenses.
What IT Teams Should Do Now
To prepare for the rollout, Microsoft recommends several key actions for IT administrators:
- Review Existing Permissions
Audit your current environment to identify third-party applications accessing mail, calendars, contacts, and Teams chat or meeting data. - Enable the Admin Consent Workflow
Set up the admin consent request workflow in Azure AD (Entra ID). Without this, users won’t have a way to request access to blocked apps. - Create App Access Policies for Trusted Apps
For critical third-party tools your organization relies on, preemptively create granular app access policies to avoid disruption. - Communicate the Changes
Inform IT teams, app owners, and security personnel about the upcoming policy shift. Update on-boarding documentation and internal guidelines accordingly.
This policy update underscores Microsoft’s commitment to improving tenant security by default, giving administrators greater control and visibility into third-party integrations. With rising threats targeting collaboration platforms and messaging systems, this is a timely and necessary evolution in Microsoft’s security posture.
Add a Comment