Microsoft has announced that starting in mid-July 2025, all Microsoft 365 tenants will automatically block access to SharePoint, OneDrive, and Office files via legacy authentication protocols by default. As reported by Bleeping Computer, this sweeping change is set to roll out across Microsoft Entra, Microsoft 365 apps, SharePoint Online, and Microsoft OneDrive, with no additional licensing required. The update is expected to be fully implemented by August 2025.
The Microsoft 365 Security Legacy Authentication Change
Legacy authentication protocols—such as RPS (Relying Party Suite) for SharePoint and OneDrive, and FPRPC (FrontPage Remote Procedure Call) for Office file opens—have long been considered a significant vulnerability in enterprise security frameworks. These older authentication methods lack the robust protections provided by modern authentication, such as multi-factor authentication (MFA), and are frequently targeted by cybercriminals for brute-force and phishing attacks.
Microsoft’s decision to block these protocols by default is part of a broader initiative to protect organizations from evolving cyber threats. According to Microsoft’s own analysis, more than 99% of password spray attacks and over 97% of credential stuffing attacks against Microsoft Entra ID use legacy authentication protocols. By phasing out these outdated methods, Microsoft aims to close a major security gap.
Who Is Affected?
The change will impact all Microsoft 365 tenants, regardless of size or industry. Organizations that rely on SharePoint, OneDrive, or Office files accessed via legacy authentication methods will need to transition to modern authentication protocols. This includes users accessing files through older web browsers or applications that are not updated to support modern authentication standards.
Microsoft has clarified that no additional licensing is required for this update. The security defaults will be enabled automatically, ensuring that all tenants benefit from the enhanced protection.
Why Is Microsoft Making This Change?
Legacy authentication protocols are inherently less secure than their modern counterparts. They do not support advanced security features like MFA, and they often transmit credentials in clear text, making them easy targets for interception and misuse. Cybercriminals exploit these weaknesses to gain unauthorized access to sensitive data, posing a significant risk to organizations of all sizes.
Microsoft’s announcement emphasizes that blocking legacy authentication is a critical step in reducing the attack surface for Microsoft 365 environments. By enforcing modern authentication, organizations can better protect their data from unauthorized access and minimize the risk of data breaches.
What Are the Technical Details?
The rollout will begin in mid-July 2025 and is expected to be completed by August 2025. The update will block legacy browser authentication to SharePoint and OneDrive using RPS, as well as FPRPC for Office file opens. This means that any application or service still relying on these legacy protocols will no longer be able to access Microsoft 365 resources unless they are updated to support modern authentication.
Microsoft has also stated that the change will address application access permissions that can expose organizations to unnecessary security risks. By updating security defaults, Microsoft is ensuring that only applications and services using secure, modern authentication methods can access sensitive data.
How to Prepare for the Change
Organizations should take proactive steps to ensure a smooth transition:
-
Identify Legacy Authentication Usage:
Use the Microsoft Entra admin center to review sign-in logs and identify any applications or users still relying on legacy authentication protocols. Filtering by client app can help pinpoint legacy usage. -
Update Applications and Services:
Ensure that all applications and services accessing Microsoft 365 resources are updated to support modern authentication. This may require upgrading older versions of Office or other productivity tools. -
Communicate with Users:
Inform users about the upcoming changes, especially those who may be using older clients or browsers. Provide guidance on how to transition to modern authentication methods. -
Test Conditional Access Policies:
Consider implementing Conditional Access policies to block legacy authentication in a controlled manner. Start in report-only mode to assess the impact before fully enforcing the policy. -
Exclude Critical Accounts:
Exclude emergency access or break-glass accounts from any policy changes to prevent accidental lockouts. Also, consider temporarily excluding service accounts that may still require legacy authentication until they can be updated.
What Are the Benefits of Modern Authentication?
Modern authentication provides several key security advantages over legacy methods:
-
Multi-Factor Authentication (MFA):
Modern authentication supports MFA, adding an extra layer of security that significantly reduces the risk of unauthorized access. -
Token-Based Authentication:
Modern protocols use tokens instead of transmitting passwords in clear text, making it much harder for attackers to intercept credentials. -
Conditional Access:
Modern authentication enables organizations to implement granular access controls based on user, device, location, and other factors. -
Reduced Attack Surface:
By phasing out legacy authentication, organizations can close a major security gap and reduce the risk of credential-based attacks.
Potential Challenges
While the move to block legacy authentication is a positive step for security, organizations may face some challenges during the transition:
-
Application Compatibility:
Some legacy applications or custom scripts may not support modern authentication. Organizations will need to update or replace these tools to maintain access to Microsoft 365 resources. -
User Training:
Users accustomed to older authentication methods may need training and support to adapt to modern protocols. -
Temporary Exclusions:
Organizations should carefully manage any temporary exclusions for critical accounts to avoid disrupting business operations.
Microsoft’s Commitment to Security
Microsoft’s decision to block legacy authentication by default reflects its ongoing commitment to providing a secure and resilient cloud environment for its customers. By continuously updating security defaults and encouraging the adoption of modern authentication, Microsoft is helping organizations stay ahead of evolving cyber threats.
As the rollout progresses, organizations should monitor their environments for any issues related to the change. Microsoft will continue to provide guidance and support through its official documentation and admin centers. By staying informed and taking proactive steps, organizations can ensure a smooth transition and maximize the security benefits of modern authentication.
The upcoming change to block legacy authentication protocols by default in Microsoft 365 is a significant milestone in the ongoing effort to protect organizations from cyber threats. By phasing out outdated authentication methods, Microsoft is helping to create a more secure and resilient cloud ecosystem for all its customers. Organizations should take advantage of the resources and guidance provided by Microsoft to prepare for the transition and ensure that their data remains protected.
Similar Posts
- Copilot for Finance: Leveraging AI to transform tedious financial operations in Microsoft 365
- Microsoft 365 apps and Copilot AI to launch on Apple Vision Pro
- Microsoft Education: Check out these 8 exciting updates to help accelerate learning in the classroom
- Discover the top 52 Microsoft Developer Blogs for .NET, Azure, Java, Python, and more
- Microsoft to eliminate Android app support in Windows 11 shocking no one
Discover more from Microsoft News Today
Subscribe to get the latest posts sent to your email.
