Microsoft has warned administrators that legacy authentication protocols will be blocked by default from July, meaning that anyone who hasn't made preparations already could be in for a busy summer.
The notification in the Microsoft 365 Message Center this week - MC1097272 - warned that the default settings in Microsoft 365 would be updated starting in mid-July 2025 through to August to "enhance security by blocking legacy authentication protocols and requiring admin consent for third-party app access."
It's all part of Microsoft's Secure Future Initiative (SFI) and "Secure by Default" principles. Indeed, the defaults of yesteryear were a boon to malicious actors, but as Microsoft deals with the consequences of design decisions made decades ago, administrators running legacy systems could be facing a headache dealing with the changes.
First in line for the chop is legacy browser authentication to SharePoint and OneDrive using the Remote PowerShell (RPS) protocol. According to Microsoft, legacy authentication protocols like RPS "are vulnerable to brute-force and phishing attacks due to non-modern authentication." The upshot is that attempting to access OneDrive or SharePoint via a browser using legacy authentication will stop working.
Also being blocked is the FrontPage Remote Procedure Call (RPC) protocol. Microsoft FrontPage was a web authoring tool that was discontinued almost two decades ago. However, the protocol for remote web authoring has lived on until now. Describing legacy protocols like RPC as "more susceptible to compromise," Microsoft will block them to prevent their use in Microsoft 365 clients.
Finally, third-party apps will need administrator consent to access files and sites. Microsoft said: "Users allowing third-party apps to access file and site content can lead to overexposure of an organization's content. Requiring admins to consent to this access can help reduce overexposure."
While laudable, shifting consent to the administrator could disrupt some workflows. The Microsoft-managed App Consent Policies will be enabled, and users will be unable to consent to third-party applications accessing their files and sites by default. Need consent? A user will need to request an administrator to consent on their behalf.
Time to set up that admin consent workflow?
Microsoft warned: "These changes are on by default and apply to all Microsoft 365 tenants." ®
Opinion Mozilla's management is a bug, not a feature
The mighty Z80 processor ran the code at astounding speed, proving retro-tech got a lot of things right
Analysis Markets advised to brace for 45 percent fall from Q1 to Q2
Using prompt injections to play a Jedi mind trick on LLMs
As power concerns beset builds, this floating datacenter can plug into powership next door
Line-judging tech flubs crucial point, leaving players and fans seeing red
Opinion A virtual environment makes a great de-hype advisor