Microsoft's scythe hovers over RPS for Exchange Online

Microsoft shutting down RPS connections for new Exchange Online subscribers on April 1 as part of its ongoing push for more secure modern authentication methods.

The Remote PowerShell Protocol is used for client-to-server communications through PowerShell (PS) cmdlets and is the interface for administrators managing Exchange Online via the command line.

In September 2022, Microsoft launched the PowerShell v3 module, which includes REST-based cmdlets, and let Exchange Online users know that the clock is ticking on RPS. The plan is still to drop RPS completely in June, but it will be blocked for new tenants coming onboard Exchange Online on All Fools' Day.

Those new subscribers will have to use PowerShell v3.

"The overall RPS deprecation plan we announced in December [with the June deadline] applies to all Exchange Online customers connecting with RPS," the Exchange Team announced on Tuesday. "We recommend that all customers move to the v3 module, which is more secure and more reliable than the older PowerShell modules."

PowerShell v3 does come with reliability and performance advantages over older RPS-based versions – the REST API cmdlets can help reduce failures due to network delays or long query execution times. But tighter security is a top driver behind the change and key to that is support for modern authentication methods, or what Redmond calls Modern Auth.

Microsoft began its steady march toward Modern Auth adoption more than three years ago and has since moved various applications – including Outlook Desktop and Outlook Mobile App – to it through security updates.

The software giant in September outlined plans to begin disabling Basic Auth protocols in Exchange Online. Those protocols include not only RPS but also MAPI, Offline Address Book, POP, Exchange ActiveSync, and others.

• Microsoft: For better security, scan more Exchange server objects
• Microsoft lights a fire under .NET Core teams, just in time for Ignite
• Akamai: We stopped record DDoS attack in Europe
• Microsoft sweeps up after breaking .NET with December security updates

The case for modern authentication is growing and an upgrade looks like a smart move. Basic Auth methods don't naturally support such modern security tools like multi-factor authentication.

The v3 module also includes certificate-based authentication, which is also known as app-only authentication and supports unattended script and automation cases through Azure Active Directory apps and self-signed certificates.

Microsoft also is a major proponent of passwordless authentication, as are other vendors, including Google and Apple.

Redmond has said that while it has disabled Basic Auth in many areas and that millions of users already have moved away from it, there are still many who use those methods despite periodic warnings from Microsoft.

The Exchange Team is recommending that admins using a v1 or v2 module or the New-PSSession cmdlet to establish a RPS connection install the v3 module.

At the same time, the Team is responding to user concerns about the RPS timelines "and will soon release a tool to allow tenant admins to request an extension to use RPS for a little longer." ®