Category
planForChange
Severity
normal
Major change
False
Last modified
2026-05-08 22:42:04
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
—
Action by (AI)
2026-06-01 00:00:00
Services
Exchange Online
Tags
New feature, User impact, Admin impact
Master tags
Admin, Security
Roadmap IDs
One-line summary
Starting June 2026, admin consent will be required for more Microsoft Graph permissions to access Exchange data; users can no longer grant consent for these unless apps are mail client policy-approved.
Similar updates
More like thisMC1163922 Upcoming Secure by Default Settings Changes for Exchange and Teams APIs
Upcoming Secure by Default Settings Changes for Exchange and Teams APIs Admin consent will be required for third-party apps accessing Exchange and Teams content via Microsoft Graph and legacy protocols; rollout starts by end of October 2025. As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the “Secure by Default".
MC1092458 (Updated) Microsoft Exchange Online: New Message Trace will be GA; legacy Message Trace will retire
This does not impact th... The legacy Message Trace cmdlets (Get-MessageTrace, Get-MessageTraceDetail) were deprecated starting back in September 1st 2025. We are excited to announce the General Availability of the new Message Trace in the Microsoft Exchange admin center (EAC) in Microsoft Exchange Online. This new experience, previously in Public.
MC1191578 (Updated) Update to EWS Access for Kiosk / Frontline Worker Licenses
...6, EWS access will be blocked for mailboxesWe're making some changes to Exchange Web Services (EWS). Starting June 30, 2026, we will start to block EWS access for all mailboxes without license rights to EWS. [How this will affect your organization:] The impacted licenses are: Exchange Online Kiosk Microsoft 365 and Office 365 F1 Microsoft 365.
MC1197103 (Updated) Exchange Online ActiveSync device support update
(Updated) Exchange Online ActiveSync device support update Starting March 1, 2026, Exchange Online will block devices using Exchange ActiveSync versions lower than 16.1 to enhance security and reliability. Updated December 16, 2025: We have updated the PowerShell example. Exchange Online ActiveSync Device Support Update We’re making a change to.
MC1085133 (Updated) Microsoft Teams: Rule-based enablement of Microsoft 365 third-party apps in the Teams admin center
(Updated) Microsoft Teams: Rule-based enablement of Microsoft 365 third-party apps in the Teams admin center Admins can now manage Microsoft 365 certified SaaS apps in Teams via new org-wide settings for third-party apps, with enhanced control and customization options. Updated April 21, 2026: We have updated the content. This feature will now be.
MC1198079 Migrate User Data Across Tenants: Mailboxes, OneDrives, and Teams Chats
Migrate User Data Across Tenants: Mailboxes, OneDrives, and Teams Chats A unified interface for cross-tenant migrations of Exchange, OneDrive, and Teams data will enter public preview in early December 2025, streamlining admin workflows. [Introduction] To simplify cross-tenant migrations, we're introducing a unified interface that enables.
Details
Summary
Starting June 2026, Microsoft will update the default user consent policy for Microsoft Graph to require admin consent for additional Exchange-related permissions. Users cannot grant consent for these unless apps are approved in the Mail client policy. Existing consents and custom policies remain unaffected.
Body (from Message Center)
[Introduction]
As part of the Microsoft Secure Future Initiative (SFI), and in alignment with the Secure by Default principle, we’re updating the Microsoft‑managed default user consent policy for Microsoft Graph. This change increases administrator control over third‑party application access to Exchange data and aligns default consent behavior with industry best practices for protecting email and related content.
[When this will happen]
General Availability (Worldwide): We will begin rolling out in early June 2026 and expect to complete by early July 2026.
[How this affects your organization]
Who is affected
- Microsoft 365 tenants using the Microsoft‑managed default user consent policy
- Admins managing Exchange Online and Microsoft Graph app access
- Organizations that allow third‑party applications to access Exchange data via delegated permissions
What will happen
- The following Microsoft Graph delegated permissions will be added to the Microsoft recommended user consent policy:
- Contacts.ReadWrite
- Contacts.Read.Shared
- People.Read
- Tasks.ReadWrite.Shared
- Tasks.ReadWrite
- Tasks.Read.Shared
- Tasks.Read
- Contacts.ReadWrite.Shared
- Contacts.ReadWrite
- These changes will be reflected as an update to the Microsoft‑managed default user consent policy.
- With this change, any organization using the Microsoft‑managed user consent policy will require admin consent for these additional permissions to access Exchange mail data. Learn more about Graph permissions.
- By default, admin consent will be required for third‑party apps requesting these permissions to access Exchange data.
- Users will no longer be able to grant consent for these permissions unless the app is included in the Mail client policy.
- The Mail client policy will continue to allow users to consent to approved, popular mail applications for the permissions included in the recommended user consent policy.
- Existing approved apps and existing user consents are not impacted and will continue to work.
- Tenants using custom user consent policies are not affected.
- No additional licensing is required.
[What you can do to prepare]
- Review third‑party apps that access Exchange data using Microsoft Graph.
- Create granular app consent policies in advance for apps you want users to continue using without interruption.
- Configure the admin consent workflow so users can request approval for apps that now require admin consent.
- Notify helpdesk staff, security teams, and app owners about the upcoming change.
- Update internal documentation to reflect the new default consent behavior.
Learn more:
- Configure how users consent to applications | Enterprise applications | Microsoft Entra ID | Microsoft Entra | Microsoft Learn
- Configure the admin consent workflow | Enterprise applications | Microsoft Entra ID | Microsoft Entra | Microsoft Learn
- Manage app consent policies | Enterprise applications | Microsoft Entra ID | Microsoft Entra | Microsoft Learn
- Microsoft Graph permissions reference | Microsoft Graph | Microsoft Learn
- Microsoft Secure Future Initiative (SFI)
- Review permissions granted to enterprise applications | Enterprise applications | Microsoft Entra ID | Microsoft Entra | Microsoft Learn
[Compliance considerations]
| Question | Answer |
| Does the change alter how existing customer data is processed, stored, or accessed? | Yes. Access to Exchange data via delegated Microsoft Graph permissions will require admin approval for the additional permissions listed in this message when using the Microsoft‑managed default user consent policy. Existing approved access is not affected. |
| Does the change include an admin control, and can it be managed through Entra ID? | Yes. Admins can manage access using Microsoft Graph app consent policies and the admin consent workflow in Microsoft Entra ID. |
Raw JSON (for debugging)
Expand/collapse the full payload below.
Show/hide raw
{
"snapshot_item": {
"action_required_by": null,
"ai_action_required_by": "2026-06-01T00:00:00Z",
"ai_actions": [
"Review third-party app access to Exchange data",
"Update app consent policies and workflows",
"Notify security teams and helpdesk",
"Update documentation"
],
"ai_master_tags": [
"Admin",
"Security"
],
"ai_model": "gpt-4.1",
"ai_summary": "Starting June 2026, admin consent will be required for more Microsoft Graph permissions to access Exchange data; users can no longer grant consent for these unless apps are mail client policy-approved.",
"ai_topics": [
"Exchange",
"Graph",
"Entra"
],
"category": "planForChange",
"details_map": {
"Summary": "Starting June 2026, Microsoft will update the default user consent policy for Microsoft Graph to require admin consent for additional Exchange-related permissions. Users cannot grant consent for these unless apps are approved in the Mail client policy. Existing consents and custom policies remain unaffected."
},
"id": "MC1304287",
"importance": 5,
"is_major_change": false,
"last_modified": "2026-05-08T22:42:04Z",
"ms_products": [
"Exchange"
],
"platforms": null,
"roadmap_ids": [],
"services": [
"Exchange Online"
],
"severity": "normal",
"tags": [
"New feature",
"User impact",
"Admin impact"
],
"title": "Microsoft Exchange Online: Upcoming secure-by-default changes for Exchange APIs"
}
}