Microsoft 365 will block outdated authentication protocols and make admin consent mandatory for app access from July 2025.
From mid-July, Microsoft is changing default settings in Microsoft 365 to enhance security. Outdated authentication protocols will be blocked, and users will need to request permission from administrators to grant third-party apps access to files and sites. The rollout will continue until August 2025.
Secure Future Initiative
Microsoft is implementing these changes as part of the Secure Future Initiative. This initiative was launched in November 2023 and aims to improve the cybersecurity of Microsoft’s solutions across components and infrastructure. This update aligns with the broader principle of “Secure by Default”, which helps organizations achieve basic security levels.
The changes include three main points:
- Legacy browser authentication via the Relying Party Suite (RPS) protocol will be blocked by default for access to SharePoint and OneDrive. RPS is vulnerable to brute-force and phishing attacks.
- The FPRPC protocol (FrontPage Remote Procedure Call) will be blocked for opening Office files. This protocol is rarely used and increases the risk of vulnerabilities.
- Users will no longer be able to grant permission by default to third-party apps to access files or sites. From now on, explicit approval from an administrator will be required.
The change in app access does not apply to organizations that have previously blocked user consent or implemented custom permission settings. Administrators can also set detailed access rules for specific apps or user groups.
Preparation
Microsoft advises organizations to check their current settings for the use of RPS or FPRPC. IT administrators, app owners, and security teams should be informed. It’s also important to update internal documentation and, if necessary, configure the Admin Consent Workflow process. Microsoft provides a separate guide for this purpose.
The adjustments will be automatically applied to all Microsoft 365 environments. They may affect how data is processed or accessed, as access via older methods will be blocked.