Microsoft is updating its security policies to require administrator consent for new third-party applications seeking access to Exchange and Teams content.
These “Secure by Default” changes, set to roll out from late October to late November 2025, aim to enhance tenant security by giving administrators greater control over data access.
This update is a key component of the Microsoft Secure Future Initiative (SFI), which prioritizes security by default across Microsoft’s product ecosystem. The changes align with industry best practices by hardening the security posture of Microsoft 365 tenants.
This move follows a similar security enhancement implemented for SharePoint and OneDrive, which blocked legacy protocols and mandated admin consent for third-party apps accessing files.
By extending this approach to Exchange and Teams, Microsoft continues its effort to systematically evaluate and improve default security settings, ensuring that customer data is protected from unauthorized access. The changes will be applied without requiring any additional licensing.
How the Changes Affect App Access
The core of this update involves modifying the Microsoft-managed default consent policy. For organizations using this policy, any new third-party application requesting permissions to access Exchange and Teams data via Microsoft Graph, Exchange Web Services (EWS), Exchange ActiveSync (EAS), POP3, and IMAP4 will require explicit approval from an administrator.
It is important to note that this change will not impact applications that have already been granted consent by users; these apps will continue to function without interruption for those existing users.
However, if a new user attempts to authorize an app or an existing app requests new permissions, it will trigger the admin consent requirement. Organizations that have already configured custom user consent policies will not be affected by this update.
To ensure a smooth transition, Microsoft advises administrators to take several preparatory steps. Admins should begin by assessing their current environment and reviewing the permissions of existing third-party applications that access Exchange mail, calendars, contacts, and Teams chat or meeting data.
It is highly recommended to configure the admin consent workflow, which allows users to formally request approval for an application. Without this workflow, users will have no mechanism to request access.
For critical applications that are already trusted, administrators can create granular app access policies in advance to prevent any service interruptions.
Finally, communicating these upcoming changes to IT teams, app owners, and security personnel, as well as updating internal onboarding documentation, will be crucial for managing the new process effectively.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.