check before: 2026-01-30
Product:
OneDrive, SharePoint
Platform:
Developer, Online, World tenant
Status:
Change type:
Admin impact, Retirement, Updated message, User impact
Links:
Details:
Summary:
Microsoft is retiring the legacy IDCRL authentication protocol in SharePoint Online and OneDrive for Business by May 1, 2026, enforcing modern OpenID Connect and OAuth protocols. Legacy authentication will be blocked starting February 16, 2026, with temporary re-enablement via PowerShell until April 30, 2026. Organizations must migrate to modern authentication.
Details:
Updated February 5, 2026: We have updated the timeline. Thank you for your patience.
[Introduction:]
As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the "Secure by Default" principle, we're retiring the legacy IDCRL (Identity Client Run Time Library) authentication protocol in SharePoint Online and OneDrive for Business. This change helps strengthen your organization's security posture by enforcing modern authentication standards-OpenID Connect and OAuth-which reduce exposure to outdated and vulnerable authentication methods.
[When this will happen:]
Starting February 16, 2026: Legacy client authentication will be blocked by default. Organizations may temporarily re-enable it using PowerShell until April 30, 2026.
Starting May 1, 2026: Legacy client authentication will be permanently blocked and cannot be re-enabled.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-11-11
updated:
2026-02-06
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
Microsoft will replace the IDCRL authentication protocol for SharePoint Online and OneDrive for Business with OpenID Connect and OAuth protocols starting February 16, 2026, and will permanently remove the old protocol by May 1, 2026, requiring organizations to update their systems accordingly.
Direct effects for Operations**
Authentication Failure
Applications relying on IDCRL will fail to authenticate, leading to service disruptions for users accessing SharePoint Online and OneDrive.
- roles: IT Administrators, End Users
- references: https://devblogs.microsoft.com/microsoft365dev/migrating-from-idcrl-authentication-to-modern-authentication-in-sharepoint/
Increased Support Requests
Users may experience issues logging in or accessing resources, resulting in a surge of support requests to IT.
- roles: Help Desk Staff, End Users
- references: https://devblogs.microsoft.com/microsoft365dev/migrating-from-idcrl-authentication-to-modern-authentication-in-sharepoint/
Security Vulnerabilities
Continuing to use legacy authentication without migration may expose the organization to security risks, as IDCRL is outdated and vulnerable.
- roles: Security Teams, IT Administrators
- references: https://devblogs.microsoft.com/microsoft365dev/migrating-from-idcrl-authentication-to-modern-authentication-in-sharepoint/
Operational Downtime
If migration is not completed before the deadline, critical applications may become inoperable, leading to downtime.
- roles: Application Owners, IT Administrators
- references: https://devblogs.microsoft.com/microsoft365dev/migrating-from-idcrl-authentication-to-modern-authentication-in-sharepoint/
User Experience Degradation
Users may face interruptions in their workflow due to authentication issues, leading to frustration and decreased productivity.
- roles: End Users, Team Leaders
- references: https://devblogs.microsoft.com/microsoft365dev/migrating-from-idcrl-authentication-to-modern-authentication-in-sharepoint/
Configutation Options**
XXXXXXX ... paid membership only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2026-02-06 | MC Messages | Updated February 2, 2026: We are updating this post as a reminder. Thank you for your patience.
[Introduction:] As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the "Secure by Default" principle, we're retiring the legacy IDCRL (Identity Client Run Time Library) authentication protocol in SharePoint Online and OneDrive for Business. This change helps strengthen your organization's security posture by enforcing modern authentication standards-OpenID Connect and OAuth-which reduce exposure to outdated and vulnerable authentication methods. [When this will happen:] Starting January 31, 2026: Legacy client authentication will be blocked by default. Organizations may temporarily re-enable it using PowerShell until April 30, 2026. Starting May 1, 2026: Legacy client authentication will be permanently blocked and cannot be re-enabled. | Updated February 5, 2026: We have updated the timeline. Thank you for your patience.
[Introduction:] As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the "Secure by Default" principle, we're retiring the legacy IDCRL (Identity Client Run Time Library) authentication protocol in SharePoint Online and OneDrive for Business. This change helps strengthen your organization's security posture by enforcing modern authentication standards-OpenID Connect and OAuth-which reduce exposure to outdated and vulnerable authentication methods. [When this will happen:] Starting February 16, 2026: Legacy client authentication will be blocked by default. Organizations may temporarily re-enable it using PowerShell until April 30, 2026. Starting May 1, 2026: Legacy client authentication will be permanently blocked and cannot be re-enabled. |
| 2026-02-06 | MC How Affect | Who is affected:
Organizations using clients, scripts, or applications that rely on the legacy IDCRL authentication protocol to access SharePoint Online or OneDrive for Business. What will happen: Legacy authentication calls using IDCRL will be blocked by default starting January 31, 2026. Temporary re-enablement is possible via PowerShell until April 30, 2026. After May 1, 2026, IDCRL authentication will be permanently retired and cannot be re-enabled. Applications using IDCRL will fail to authenticate unless updated to use modern protocols. | Who is affected:
Organizations using clients, scripts, or applications that rely on the legacy IDCRL authentication protocol to access SharePoint Online or OneDrive for Business. What will happen: Legacy authentication calls using IDCRL will be blocked by default starting February 16, 2026. Temporary re-enablement is possible via PowerShell until April 30, 2026. After May 1, 2026, IDCRL authentication will be permanently retired and cannot be re-enabled. Applications using IDCRL will fail to authenticate unless updated to use modern protocols. |
| 2026-02-06 | MC Last Updated | 02/02/2026 17:00:00 | 2026-02-05T18:48:51Z |
| 2026-02-06 | MC Summary | Microsoft is retiring the legacy IDCRL authentication protocol in SharePoint Online and OneDrive for Business by January 31, 2026, enforcing modern OpenID Connect and OAuth protocols. Legacy authentication will be blocked by default, with temporary re-enablement via PowerShell until April 30, 2026, and permanent retirement from May 1, 2026. Organizations should migrate to modern authentication promptly. | Microsoft is retiring the legacy IDCRL authentication protocol in SharePoint Online and OneDrive for Business by May 1, 2026, enforcing modern OpenID Connect and OAuth protocols. Legacy authentication will be blocked starting February 16, 2026, with temporary re-enablement via PowerShell until April 30, 2026. Organizations must migrate to modern authentication. |
| 2026-02-03 | MC Messages | Updated January 20, 2026: We are updating this post as a reminder. Thank you for your patience.
[Introduction:] As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the "Secure by Default" principle, we're retiring the legacy IDCRL (Identity Client Run Time Library) authentication protocol in SharePoint Online and OneDrive for Business. This change helps strengthen your organization's security posture by enforcing modern authentication standards-OpenID Connect and OAuth-which reduce exposure to outdated and vulnerable authentication methods. [When this will happen:] Starting January 31, 2026: Legacy client authentication will be blocked by default. Organizations may temporarily re-enable it using PowerShell until April 30, 2026. Starting May 1, 2026: Legacy client authentication will be permanently blocked and cannot be re-enabled. | Updated February 2, 2026: We are updating this post as a reminder. Thank you for your patience.
[Introduction:] As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the "Secure by Default" principle, we're retiring the legacy IDCRL (Identity Client Run Time Library) authentication protocol in SharePoint Online and OneDrive for Business. This change helps strengthen your organization's security posture by enforcing modern authentication standards-OpenID Connect and OAuth-which reduce exposure to outdated and vulnerable authentication methods. [When this will happen:] Starting January 31, 2026: Legacy client authentication will be blocked by default. Organizations may temporarily re-enable it using PowerShell until April 30, 2026. Starting May 1, 2026: Legacy client authentication will be permanently blocked and cannot be re-enabled. |
| 2026-02-03 | MC Last Updated | 01/20/2026 18:39:19 | 2026-02-02T17:00:00Z |
| 2026-01-21 | MC Messages | Updated January 6, 2026: We are updating this post as a reminder. Thank you for your patience.
[Introduction:] As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the "Secure by Default" principle, we're retiring the legacy IDCRL (Identity Client Run Time Library) authentication protocol in SharePoint Online and OneDrive for Business. This change helps strengthen your organization's security posture by enforcing modern authentication standards-OpenID Connect and OAuth-which reduce exposure to outdated and vulnerable authentication methods. [When this will happen:] Starting January 31, 2026: Legacy client authentication will be blocked by default. Organizations may temporarily re-enable it using PowerShell until April 30, 2026. Starting May 1, 2026: Legacy client authentication will be permanently blocked and cannot be re-enabled. | Updated January 20, 2026: We are updating this post as a reminder. Thank you for your patience.
[Introduction:] As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the "Secure by Default" principle, we're retiring the legacy IDCRL (Identity Client Run Time Library) authentication protocol in SharePoint Online and OneDrive for Business. This change helps strengthen your organization's security posture by enforcing modern authentication standards-OpenID Connect and OAuth-which reduce exposure to outdated and vulnerable authentication methods. [When this will happen:] Starting January 31, 2026: Legacy client authentication will be blocked by default. Organizations may temporarily re-enable it using PowerShell until April 30, 2026. Starting May 1, 2026: Legacy client authentication will be permanently blocked and cannot be re-enabled. |
| 2026-01-21 | MC Last Updated | 01/06/2026 18:18:04 | 2026-01-20T18:39:19Z |
| 2026-01-07 | MC Messages | Updated December 9, 2025: We are updating this post as a reminder. Thank you for your patience.
[Introduction:] As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the "Secure by Default" principle, we're retiring the legacy IDCRL (Identity Client Run Time Library) authentication protocol in SharePoint Online and OneDrive for Business. This change helps strengthen your organization's security posture by enforcing modern authentication standards-OpenID Connect and OAuth-which reduce exposure to outdated and vulnerable authentication methods. [When this will happen:] Starting January 31, 2026: Legacy client authentication will be blocked by default. Organizations may temporarily re-enable it using PowerShell until April 30, 2026. Starting May 1, 2026: Legacy client authentication will be permanently blocked and cannot be re-enabled. | Updated January 6, 2026: We are updating this post as a reminder. Thank you for your patience.
[Introduction:] As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the "Secure by Default" principle, we're retiring the legacy IDCRL (Identity Client Run Time Library) authentication protocol in SharePoint Online and OneDrive for Business. This change helps strengthen your organization's security posture by enforcing modern authentication standards-OpenID Connect and OAuth-which reduce exposure to outdated and vulnerable authentication methods. [When this will happen:] Starting January 31, 2026: Legacy client authentication will be blocked by default. Organizations may temporarily re-enable it using PowerShell until April 30, 2026. Starting May 1, 2026: Legacy client authentication will be permanently blocked and cannot be re-enabled. |
| 2026-01-07 | MC Last Updated | 12/09/2025 18:47:23 | 2026-01-06T18:18:04Z |
| 2025-12-10 | MC Last Updated | 11/11/2025 01:38:05 | 2025-12-09T18:47:23Z |
| 2025-12-10 | MC Messages | [Introduction:]
As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the "Secure by Default" principle, we're retiring the legacy IDCRL (Identity Client Run Time Library) authentication protocol in SharePoint Online and OneDrive for Business. This change helps strengthen your organization's security posture by enforcing modern authentication standards-OpenID Connect and OAuth-which reduce exposure to outdated and vulnerable authentication methods. [When this will happen:] Starting January 31, 2026: Legacy client authentication will be blocked by default. Organizations may temporarily re-enable it using PowerShell until April 30, 2026. Starting May 1, 2026: Legacy client authentication will be permanently blocked and cannot be re-enabled. | Updated December 9, 2025: We are updating this post as a reminder. Thank you for your patience.
[Introduction:] As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the "Secure by Default" principle, we're retiring the legacy IDCRL (Identity Client Run Time Library) authentication protocol in SharePoint Online and OneDrive for Business. This change helps strengthen your organization's security posture by enforcing modern authentication standards-OpenID Connect and OAuth-which reduce exposure to outdated and vulnerable authentication methods. [When this will happen:] Starting January 31, 2026: Legacy client authentication will be blocked by default. Organizations may temporarily re-enable it using PowerShell until April 30, 2026. Starting May 1, 2026: Legacy client authentication will be permanently blocked and cannot be re-enabled. |
| 2025-12-10 | MC MessageTagNames | User impact, Admin impact, Retirement | Updated message, User impact, Admin impact, Retirement |
Last updated 2 weeks ago ago
