Summary
Details
[Introduction]
As part of the Microsoft Secure Future Initiative (SFI), and in alignment with the Secure by Default principle, we’re updating the Microsoft‑managed default user consent policy for Microsoft Graph. This change increases administrator control over third‑party application access to Exchange data and aligns default consent behavior with industry best practices for protecting email and related content.
[When this will happen]
General Availability (Worldwide): We will begin rolling out in early June 2026 and expect to complete by early July 2026.
[How this affects your organization]
Who is affected
- Microsoft 365 tenants using the Microsoft‑managed default user consent policy
- Admins managing Exchange Online and Microsoft Graph app access
- Organizations that allow third‑party applications to access Exchange data via delegated permissions
What will happen
- The following Microsoft Graph delegated permissions will be added to the Microsoft recommended user consent policy:
- Contacts.ReadWrite
- Contacts.Read.Shared
- People.Read
- Tasks.ReadWrite.Shared
- Tasks.ReadWrite
- Tasks.Read.Shared
- Tasks.Read
- Contacts.ReadWrite.Shared
- Contacts.ReadWrite
- These changes will be reflected as an update to the Microsoft‑managed default user consent policy.
- With this change, any organization using the Microsoft‑managed user consent policy will require admin consent for these additional permissions to access Exchange mail data. Learn more about Graph permissions.
- By default, admin consent will be required for third‑party apps requesting these permissions to access Exchange data.
- Users will no longer be able to grant consent for these permissions unless the app is included in the Mail client policy.
- The Mail client policy will continue to allow users to consent to approved, popular mail applications for the permissions included in the recommended user consent policy.
- Existing approved apps and existing user consents are not impacted and will continue to work.
- Tenants using custom user consent policies are not affected.
- No additional licensing is required.
[What you can do to prepare]
- Review third‑party apps that access Exchange data using Microsoft Graph.
- Create granular app consent policies in advance for apps you want users to continue using without interruption.
- Configure the admin consent workflow so users can request approval for apps that now require admin consent.
- Notify helpdesk staff, security teams, and app owners about the upcoming change.
- Update internal documentation to reflect the new default consent behavior.
Learn more:
- Configure how users consent to applications | Enterprise applications | Microsoft Entra ID | Microsoft Entra | Microsoft Learn
- Configure the admin consent workflow | Enterprise applications | Microsoft Entra ID | Microsoft Entra | Microsoft Learn
- Manage app consent policies | Enterprise applications | Microsoft Entra ID | Microsoft Entra | Microsoft Learn
- Microsoft Graph permissions reference | Microsoft Graph | Microsoft Learn
- Microsoft Secure Future Initiative (SFI)
- Review permissions granted to enterprise applications | Enterprise applications | Microsoft Entra ID | Microsoft Entra | Microsoft Learn
[Compliance considerations]
| Question | Answer |
| Does the change alter how existing customer data is processed, stored, or accessed? | Yes. Access to Exchange data via delegated Microsoft Graph permissions will require admin approval for the additional permissions listed in this message when using the Microsoft‑managed default user consent policy. Existing approved access is not affected. |
| Does the change include an admin control, and can it be managed through Entra ID? | Yes. Admins can manage access using Microsoft Graph app consent policies and the admin consent workflow in Microsoft Entra ID. |
Change History
Never Miss a Microsoft 365 Update
Join thousands of IT professionals who rely on DeltaPulse for real-time Microsoft 365 change intelligence, automated notifications, and community insights.