Microsoft 365 Implements Default Restrictions on File Access Through Legacy Authentication Protocols

Microsoft has announced updates to security defaults for all Microsoft 365 tenants, set to take effect in July 2025, which will disable access to SharePoint, OneDrive, and Office files through legacy authentication protocols. This significant change aims to enhance security by mitigating potential risks associated with application access permissions.

The rollout is scheduled to commence in mid-July 2025 and is expected to conclude by August 2025. By default, this update will be applied across Microsoft Entra, Microsoft 365 applications, SharePoint Online, and Microsoft OneDrive, without necessitating additional licensing.

According to a message from the Microsoft 365 admin center, the update will automatically restrict legacy browser authentication to SharePoint and OneDrive through the Relying Party Suite (RPS), along with the FrontPage Remote Procedure Call (FPRPC) protocol used for opening Office files.

Legacy authentication protocols, including RPS, are susceptible to brute-force and phishing attacks due to their reliance on non-modern authentication methods. By blocking these outdated protocols, Microsoft aims to prevent applications relying on them from accessing SharePoint and OneDrive via web browsers. Similarly, the FPRPC protocol, which is largely obsolete, will no longer be permitted for opening files, significantly reducing vulnerability exposure.

Following the implementation of the new security defaults, third-party applications will require admin consent to access files and sites, minimizing the risk of users inadvertently disclosing organizational content without oversight. Microsoft-managed App Consent Policies will explicitly prevent users from granting consent to third-party applications without prior administrative approval.

Administrators can consult Microsoft Entra support documents for guidance on configuring admin consent and may establish tailored access policies for specific users or groups.

This initiative is part of the Microsoft Secure Future Initiative (SFI) and aligns with the company’s commitment to a ‘Secure by Default’ approach, reforming default settings in Microsoft 365 to assist organizations in achieving foundational security benchmarks and strengthening their security postures. This represents an initial phase in a larger effort to continually enhance Microsoft 365 defaults based on security best practices.

In line with its ongoing security enhancements, Microsoft has recently undertaken measures such as the deactivation of all ActiveX controls in Windows versions of Microsoft 365 and Office 2024. Furthermore, a new feature for Microsoft Teams will be introduced in July, aimed at blocking screen capture during meetings, emphasizing the company’s dedication to fostering a secure collaborative environment.

Additionally, Microsoft has announced plans to expand its list of blocked Outlook attachments to include .library-ms and .search-ms file types, further strengthening its security framework against potential threats.