Microsoft 365 brings the shutters down on legacy protocols

Microsoft has warned administrators that legacy authentication protocols will be blocked by default from July, meaning that anyone who hasn't made preparations already could be in for a busy summer.

The notification in the Microsoft 365 Message Center this week – MC1097272 – warned that the default settings in Microsoft 365 would be updated starting in mid-July 2025 through to August to "enhance security by blocking legacy authentication protocols and requiring admin consent for third-party app access."

It's all part of Microsoft's Secure Future Initiative (SFI) and "Secure by Default" principles. Indeed, the defaults of yesteryear were a boon to malicious actors, but as Microsoft deals with the consequences of design decisions made decades ago, administrators running legacy systems could be facing a headache dealing with the changes.

First in line for the chop is legacy browser authentication to SharePoint and OneDrive using the Remote PowerShell (RPS) protocol. According to Microsoft, legacy authentication protocols like RPS "are vulnerable to brute-force and phishing attacks due to non-modern authentication." The upshot is that attempting to access OneDrive or SharePoint via a browser using legacy authentication will stop working.

Also being blocked is the FrontPage Remote Procedure Call (RPC) protocol. Microsoft FrontPage was a web authoring tool that was discontinued almost two decades ago. However, the protocol for remote web authoring has lived on until now. Describing legacy protocols like RPC as "more susceptible to compromise," Microsoft will block them to prevent their use in Microsoft 365 clients.

• Microsoft testing PC-to-Cloud-PC failover for those times your machine dies or disappears
• Microsoft broke DHCP for Windows Server last Patch Tuesday
• Microsoft patches the patch that can brick Surface Hub v1 screens
• Microsoft brings 365 suite on-prem as part of sovereign cloud push

Finally, third-party apps will need administrator consent to access files and sites. Microsoft said: "Users allowing third-party apps to access file and site content can lead to overexposure of an organization's content. Requiring admins to consent to this access can help reduce overexposure."

While laudable, shifting consent to the administrator could disrupt some workflows. The Microsoft-managed App Consent Policies will be enabled, and users will be unable to consent to third-party applications accessing their files and sites by default. Need consent? A user will need to request an administrator to consent on their behalf.

Time to set up that admin consent workflow?

Microsoft warned: "These changes are on by default and apply to all Microsoft 365 tenants." ®