Microsoft 365 to Block Legacy Authentication by Default — Here’s What You Need to Know

Microsoft is set to block legacy authentication protocols by default, which will cut off access to SharePoint, OneDrive, and Office files to enhance security. IT administrators are advised to prepare, as these default setting changes will roll out across Microsoft 365 tenants starting mid-July 2025.

Why is Microsoft 365 blocking legacy authentication?

Microsoft says this change is part of its Secure Future Initiative (SFI) and the “Secure by Default” principles. In the first phase, it will block legacy browser authentication to SharePoint and OneDrive via the Remote PowerShell (RPS) protocol. These outdated protocols lack modern security measures like multi-factor authentication (MFA) and typically depend on simple username and password combinations, which make them easy targets for phishing and brute-force attacks.

Microsoft will also block the FrontPage Remote Procedure Call (RPC) protocol to prevent its use in Microsoft 365 tenants. It’s a legacy protocol used primarily by Microsoft FrontPage to communicate with web servers. This protocol lacked modern authentication and encryption, which makes it vulnerable to cyberattacks.

Lastly, Microsoft says that third-party apps will need administrator consent to access files and sites. It should help IT admins prevent users from overexposing their organization’s content.

“Requiring admins to consent to this access can help reduce overexposure. With this change, Microsoft-managed App Consent Policies will be enabled, and users will be unable to consent to third party applications accessing their files and sites by default. Instead, they can request administrators to consent on their behalf,” The company explained on the Microsoft 365 admin center.

What do IT admins need to do to prepare?

However, Microsoft notes that this change could disrupt some workflows in enterprise environments. The Microsoft-managed App Consent Policies will be enabled, and users will be unable to consent to third-party applications accessing their files and sites by default. Instead, end users will need to request an administrator to consent on their behalf.

Microsoft says that these changes are enabled by default and applicable to all Microsoft 365 tenants. Administrators can configure admin consent by following the instructions on this support page.