Microsoft Exchange Online: Upcoming secure-by-default changes for Exchange APIs

Introduction

As part of the Microsoft Secure Future Initiative (SFI), and in alignment with the Secure by Default principle, we’re updating the Microsoft‑managed default user consent policy for Microsoft Graph. This change increases administrator control over third‑party application access to Exchange data and aligns default consent behavior with industry best practices for protecting email and related content.

When this will happen

General Availability (Worldwide): We will begin rolling out in early June 2026 and expect to complete by early July 2026.

How this affects your organization

Who is affected

• Microsoft 365 tenants using the Microsoft‑managed default user consent policy
• Admins managing Exchange Online and Microsoft Graph app access
• Organizations that allow third‑party applications to access Exchange data via delegated permissions

What will happen

• The following Microsoft Graph delegated permissions will be added to the Microsoft recommended user consent policy:
  • Contacts.ReadWrite
  • Contacts.Read.Shared
  • People.Read
  • Tasks.ReadWrite.Shared
  • Tasks.ReadWrite
  • Tasks.Read.Shared
  • Tasks.Read
  • Contacts.ReadWrite.Shared

• These changes will be reflected as an update to the Microsoft‑managed default user consent policy.
• With this change, any organization using the Microsoft‑managed user consent policy will require admin consent for these additional permissions to access Exchange mail data. Learn more about Graph permissions.
• By default, admin consent will be required for third‑party apps requesting these permissions to access Exchange data.
• Users will no longer be able to grant consent for these permissions unless the app is included in the Mail client policy.
• The Mail client policy will continue to allow users to consent to approved, popular mail applications for the permissions included in the recommended user consent policy.
• Existing approved apps and existing user consents are not impacted and will continue to work.
• Tenants using custom user consent policies are not affected.
• No additional licensing is required.

What you can do to prepare

• Review third‑party apps that access Exchange data using Microsoft Graph.
  • Review permissions granted to enterprise applications
• Create granular app consent policies in advance for apps you want users to continue using without interruption.
  • Manage app consent policies
  • Configure how users consent to applications
• Configure the admin consent workflow so users can request approval for apps that now require admin consent. 
  • Configure admin consent workflow
• Notify helpdesk staff, security teams, and app owners about the upcoming change.
• Update internal documentation to reflect the new default consent behavior.

Learn more: 

• Configure how users consent to applications | Enterprise applications | Microsoft Entra ID | Microsoft Entra | Microsoft Learn
• Configure the admin consent workflow | Enterprise applications | Microsoft Entra ID | Microsoft Entra | Microsoft Learn
• Manage app consent policies | Enterprise applications | Microsoft Entra ID | Microsoft Entra | Microsoft Learn
• Microsoft Graph permissions reference | Microsoft Graph | Microsoft Learn
• Microsoft Secure Future Initiative (SFI)
• Review permissions granted to enterprise applications | Enterprise applications | Microsoft Entra ID | Microsoft Entra | Microsoft Learn

Compliance considerations