← Back
Upcoming Secure by Default Settings Changes for Exchange and Teams APIs
MC1163922 · build prod-20251231-200323
Category
planForChange
Severity
normal
Major change
True
Last modified
2025-10-02 02:05:11
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
Action by (AI)
Services
Exchange Online, Microsoft Teams
Tags
User impact, Admin impact
Master tags
Security
Roadmap IDs

One-line summary

Admin consent will be required for third-party apps accessing Exchange and Teams content via Microsoft Graph and legacy protocols; rollout starts by end of October 2025.

Similar updates

More like this
MC1085133 (Updated) Microsoft Teams: Rule-based enablement of Microsoft 365 third-party apps in the Teams admin center
(Updated) Microsoft Teams: Rule-based enablement of Microsoft 365 third-party apps in the Teams admin center Admins can soon manage Microsoft 365 certified SaaS app availability in Teams via new org-wide settings, with enhanced controls for security and customization. Updated December 3, 2025: We have updated the timeline. This feature will now.
MC1150123 (Updated) Teams Admin Center: Control External Access by Domain for Specific Users and Groups
...ted) Teams Admin Center: Control External Access by Domain for Specific Users and Groups Teams admins can now assign custom external access policies to users/groups, enabling granular control over which external domains they can interact with; GA rollout starts late October 2025Introduction We are introducing a new capability in Microsoft.
MC676299 (Updated) Retirement of Exchange Web Services in Exchange Online
(Updated) Retirement of Exchange Web Services in Exchange Online Exchange Online will block Exchange Web Services (EWS) requests starting October 1, 2026; migrate all EWS apps to Microsoft Graph as soon as possible. In 2018, we announced that we were no longer making feature updates to Exchange Web Services (EWS) in Exchange Online, and we.
MC1084035 (Updated) Microsoft Teams: Pop out your core apps into a new window.
Users can open core apps like Chat and Teams in separate windows for improved productivity; rollout starts November 2025 and completes by early December 2025. This improvement enables users to manage their core collaboration applications more effici... This message is associated with Microsoft 365 Roadmap ID 495003. [When this will happen:].
MC1198079 Migrate User Data Across Tenants: Mailboxes, OneDrives, and Teams Chats
Migrate User Data Across Tenants: Mailboxes, OneDrives, and Teams Chats A unified interface for cross-tenant migrations of Exchange, OneDrive, and Teams data will enter public preview in early December 2025, streamlining admin workflows. [Introduction] To simplify cross-tenant migrations, we're introducing a unified interface that enables.
MC795355 (Updated) Microsoft Teams admin center: App centric management for app installation and changes to app setup policies
(Updated) Microsoft Teams admin center: App centric management for app installation and changes to app setup policies Teams app-centric management lets admins preinstall apps for users, groups, or all users; rollout starts mid-October 2025 for some tenants, with existing app setup policies partially restricted. Updated Dec... Coming soon for.

Details

Summary
Starting late October to November 2025, Microsoft will require admin consent for third-party apps accessing Exchange and Teams content via Microsoft-managed default consent policy. This enhances security by restricting user consent, affecting new app permissions but not existing approved apps. Admins should review app access and configure consent workflows accordingly.

Body (from Message Center)

As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the “Secure by Default" principle, we are updating the Microsoft-managed default consent policy in Microsoft 365 Graph to align with Microsoft’s ongoing security improvements, help you to meet industry best practices, and harden your tenant’s security posture. These changes enable admins to better control third-party app access for Exchange and Teams content.

This is the next step in a broader effort to evaluate and evolve Microsoft 365 defaults through the lens of SFI. This update follows our recent SharePoint and OneDrive changes that blocked legacy protocols and required admin consent for third-party apps accessing files and sites. The Exchange and Teams updates are a continuation of this same approach. admin consent for third-party apps accessing files and sites. The Exchange and Teams updates are a continuation of this same approach.

[When this will happen:]

These changes will begin rolling out by end of October 2025 and are expected to be completed by late-November 2025.

[How this affects your organization:]

The following settings will be updated:

Change Impact
Require admin consent for apps accessing Exchange and Teams content  For customers using the Microsoft-managed default consent policy, admin approval will be required for third-party apps accessing Exchange and Teams content via Microsoft Graph, Exchange Web Services (EWS), Exchange ActiveSync (EAS), POP3, and IMAP4.

To preserve end-user experience, some Exchange email clients are exempted from this change. Administrators can review and modify as noted below.

These changes will be reflected as an update to the Microsoft-managed default consent policy. With this change, any organization using the Microsoft-managed user consent policy will require admin consent for Mail, Teams Chat and Meetings functionality across various protocols. Learn more about Graph permissions.

  • Organizations using other user consent policies will not be affected.
  • These changes will not require additional licensing.

[What you can do to prepare:]

We recommend the following actions:

  • Assess current configurations: Review existing third-party applications that access Exchange mail, calendar, contacts, and Teams chat/meetings data.
    • If you already intend to allow user consent for certain third-party apps, we recommend that you create granular app access policies in advance, so those apps remain usable without interruption (Manage app consent policies, Configure how users consent to applications)
    • If you are already using another consent policy that covers applications that will be impacted by this change and are satisfied with the policy, no changes are required from your end.
  • Configure Admin Consent workflow: If your organization relies on third-party apps for Exchange or Teams, set up the workflow (Configuring admin consent workflow); it will enable users to send a request to your global or app admin(s) to approve use of an application for users. Otherwise, potential users will not have an option to request admin approval.
  • Notify stakeholders: Inform IT admins, app owners, and security teams about the upcoming changes.
  • Update documentation: Ensure internal processes and app onboarding guidance reflect the new defaults and the admin consent process.

Additional considerations:

Does the change alter how existing customer data is processed and stored?

  • No, it doesn’t change how data is processed or stored.

Does the change alter how existing customer data is accessed?

  • Yes, moving forward only admins may approve access for the set of permissions outlined above. Users cannot grant consent to third-party applications that access Exchange and Teams data via delegated permissions.

What is the impact on existing applications?

  • Users who have already granted consent to an app can continue to use it without interruption. New users, or apps requesting new or broader permissions, will require admin approval before they can be used. This ensures that only applications explicitly validated by the admin(s) can gain new access moving forward.

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw 
{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": null,
    "ai_actions": [
      "Review third-party apps accessing Exchange and Teams",
      "Create granular app access policies if needed",
      "Configure admin consent workflow",
      "Notify stakeholders",
      "Update internal documentation"
    ],
    "ai_master_tags": [
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "Admin consent will be required for third-party apps accessing Exchange and Teams content via Microsoft Graph and legacy protocols; rollout starts by end of October 2025.",
    "ai_topics": [
      "Exchange",
      "Teams",
      "Microsoft 365 Graph"
    ],
    "category": "planForChange",
    "details_map": {
      "Summary": "Starting late October to November 2025, Microsoft will require admin consent for third-party apps accessing Exchange and Teams content via Microsoft-managed default consent policy. This enhances security by restricting user consent, affecting new app permissions but not existing approved apps. Admins should review app access and configure consent workflows accordingly."
    },
    "id": "MC1163922",
    "importance": 4,
    "is_major_change": true,
    "last_modified": "2025-10-02T02:05:11Z",
    "ms_products": [
      "Exchange",
      "Teams"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Exchange Online",
      "Microsoft Teams"
    ],
    "severity": "normal",
    "tags": [
      "User impact",
      "Admin impact"
    ],
    "title": "Upcoming Secure by Default Settings Changes for Exchange and Teams APIs"
  }
}