As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the “Secure by Default” principle, we are updating the Microsoft-managed default consent policy in Microsoft 365 Graph to align with Microsoft’s ongoing security improvements, help you to meet industry best practices, and harden your tenant’s security posture. These changes enable admins to better control third-party app access for Exchange and Teams content.

This is the next step in a broader effort to evaluate and evolve Microsoft 365 defaults through the lens of SFI. This update follows our recent SharePoint and OneDrive changes that blocked legacy protocols and required admin consent for third-party apps accessing files and sites. The Exchange and Teams updates are a continuation of this same approach. admin consent for third-party apps accessing files and sites. The Exchange and Teams updates are a continuation of this same approach.

[When this will happen:]

These changes will begin rolling out by end of October 2025 and are expected to be completed by late-November 2025.

[How this affects your organization:]

The following settings will be updated:

To preserve end-user experience, some Exchange email clients are exempted from this change. Administrators can review and modify as noted below.

These changes will be reflected as an update to the Microsoft-managed default consent policy. With this change, any organization using the Microsoft-managed user consent policy will require admin consent for Mail, Teams Chat and Meetings functionality across various protocols. Learn more about Graph permissions.

• Organizations using other user consent policies will not be affected.
• These changes will not require additional licensing.

[What you can do to prepare:]

We recommend the following actions:

• Assess current configurations: Review existing third-party applications that access Exchange mail, calendar, contacts, and Teams chat/meetings data.
  
  • If you already intend to allow user consent for certain third-party apps, we recommend that you create granular app access policies in advance, so those apps remain usable without interruption (Manage app consent policies, Configure how users consent to applications)
  • If you are already using another consent policy that covers applications that will be impacted by this change and are satisfied with the policy, no changes are required from your end.
• Configure Admin Consent workflow: If your organization relies on third-party apps for Exchange or Teams, set up the workflow (Configuring admin consent workflow); it will enable users to send a request to your global or app admin(s) to approve use of an application for users. Otherwise, potential users will not have an option to request admin approval.
• Notify stakeholders: Inform IT admins, app owners, and security teams about the upcoming changes.
• Update documentation: Ensure internal processes and app onboarding guidance reflect the new defaults and the admin consent process.

Additional considerations:

Does the change alter how existing customer data is processed and stored?

• No, it doesn’t change how data is processed or stored.

Does the change alter how existing customer data is accessed?

• Yes, moving forward only admins may approve access for the set of permissions outlined above. Users cannot grant consent to third-party applications that access Exchange and Teams data via delegated permissions.

What is the impact on existing applications?

• Users who have already granted consent to an app can continue to use it without interruption. New users, or apps requesting new or broader permissions, will require admin approval before they can be used. This ensures that only applications explicitly validated by the admin(s) can gain new access moving forward.