Microsoft has announced a significant security update for Microsoft 365 tenants, set to roll out between mid-July and August 2025. The change will block access to SharePoint, OneDrive, and Office files via legacy authentication protocols (RPS, FPRPC) by default, citing their vulnerability to credential stuffing attacks. This move aligns with Microsoft’s broader push to enforce modern authentication methods like OAuth 2.0, which support multi-factor authentication (MFA).
Security Rationale and Scope
Legacy authentication protocols, including IMAP, POP3, and SMTP, lack MFA capabilities, making them prime targets for attackers. According to Microsoft, these protocols are involved in 97% of credential stuffing attacks. The new policy will affect tenants using Azure AD P1 licenses (included in M365 Business Premium, E3, and E5) and those relying on free Security Defaults. Organizations must implement Conditional Access Policies (CAP) or use Security Defaults to enforce the block.
The change primarily impacts older clients, such as Outlook versions prior to 2016, mobile mail apps using Basic Auth, and custom scripts relying on legacy protocols. Microsoft recommends upgrading to OAuth 2.0-compatible clients or updating scripts to use the Microsoft Authentication Library (MSAL) or Graph API.
Implementation Steps for Administrators
Before enforcing the block, administrators should audit legacy auth usage. Azure AD Sign-in Logs can be filtered by the “Client App” column to identify IMAP, POP3, or SMTP traffic. Alternatively, PowerShell scripts like the Basic-Authentication-Reporting tool can automate this process.
For Conditional Access Policy setup, Microsoft provides templates under Azure AD. Administrators should select the “Block Legacy Authentication” option and exclude emergency accounts. Deploying the policy in Report-only mode first is advised to assess impact. Hybrid environments require additional steps, such as blocking IMAP/POP3 via Exchange Server 2019 authentication policies.
Automation and Monitoring
Organizations can integrate automation tools like IT Glue for Intune device documentation or Syncro for creating tickets based on Azure AD risky user alerts. Microsoft’s Sign-ins Using Legacy Authentication Workbook helps monitor compliance post-implementation.
Reddit users have shared practical scenarios, such as restricting SMTP access to trusted locations via CAP. These real-world examples highlight the flexibility of Conditional Access Policies in balancing security and operational needs.
Conclusion
Microsoft’s decision to block legacy authentication by default is a necessary step toward reducing credential-based attacks. While the change may require updates to older systems and workflows, the security benefits outweigh the transition costs. Organizations should prioritize auditing their environments and implementing Conditional Access Policies before the mid-2025 rollout.
References
- “Microsoft 365 to block file access via legacy auth protocols by default,” BleepingComputer, Jun. 18, 2025. [Online]. Available: https://www.bleepingcomputer.com/news/microsoft/microsoft-365-to-block-file-access-via-legacy-auth-protocols-by-default
- “Legacy authentication shall be blocked,” Tminus365 Documentation. [Online]. Available: https://docs.tminus365.com/security/azure-ad-entra/legacy-authentication-shall-be-blocked
- “Block legacy auth scenario,” Reddit/r/entra, Jun. 26, 2024. [Online]. Available: https://www.reddit.com/r/entra/comments/1dp24p8/block_legacy_auth_scenario
- “Conditional Access policy templates (Preview),” Microsoft Docs. [Online]. Available: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common#conditional-access-templates-preview
