MC1184649 – Microsoft SharePoint: Retirement of IDCRL authentication protocol and enforcement of OpenID Connect and OAuth protocols

Product:

OneDrive, SharePoint

Platform:

Developer, Online, World tenant

Status:

Change type:

Admin impact, Retirement, Updated message, User impact

Links:

Details:

Summary:
Microsoft is retiring the legacy IDCRL authentication protocol in SharePoint Online and OneDrive for Business by January 31, 2026, enforcing modern OpenID Connect and OAuth protocols. Legacy authentication will be blocked by default, with temporary re-enablement via PowerShell until April 30, 2026, and permanent retirement from May 1, 2026. Organizations should migrate to modern authentication promptly.

Details:
Updated January 6, 2026: We are updating this post as a reminder. Thank you for your patience.
[Introduction:]
As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the "Secure by Default" principle, we're retiring the legacy IDCRL (Identity Client Run Time Library) authentication protocol in SharePoint Online and OneDrive for Business. This change helps strengthen your organization's security posture by enforcing modern authentication standards-OpenID Connect and OAuth-which reduce exposure to outdated and vulnerable authentication methods.
[When this will happen:]
Starting January 31, 2026: Legacy client authentication will be blocked by default. Organizations may temporarily re-enable it using PowerShell until April 30, 2026.
Starting May 1, 2026: Legacy client authentication will be permanently blocked and cannot be re-enabled.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2025-11-11

updated:
2026-01-07

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Authentication Failure
Applications relying on IDCRL will fail to authenticate, leading to service disruptions for users.
   - roles: IT Administrators, End Users
   - references: https://devblogs.microsoft.com/microsoft365dev/migrating-from-idcrl-authentication-to-modern-authentication-in-sharepoint/

Increased Support Requests
Users may experience issues logging in, resulting in a surge of support requests to IT.
   - roles: Help Desk Staff, End Users
   - references: https://devblogs.microsoft.com/microsoft365dev/migrating-from-idcrl-authentication-to-modern-authentication-in-sharepoint/

Security Vulnerabilities
Continuing to use legacy authentication may expose the organization to security risks until migration is complete.
   - roles: Security Teams, IT Administrators
   - references: https://devblogs.microsoft.com/microsoft365dev/migrating-from-idcrl-authentication-to-modern-authentication-in-sharepoint/

Operational Downtime
If not prepared, organizations may face operational downtime as users are unable to access necessary applications.
   - roles: IT Administrators, End Users
   - references: https://devblogs.microsoft.com/microsoft365dev/migrating-from-idcrl-authentication-to-modern-authentication-in-sharepoint/

Documentation Gaps
Internal documentation may become outdated, leading to confusion among IT staff and users regarding authentication processes.
   - roles: IT Administrators, App Owners
   - references: https://devblogs.microsoft.com/microsoft365dev/migrating-from-idcrl-authentication-to-modern-authentication-in-sharepoint/

Configutation Options**

XXXXXXX ... paid membership only

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

Microsoft is making a significant change to how users and applications authenticate with SharePoint Online and OneDrive for Business. By January 31, 2026, the older IDCRL authentication protocol will be retired, and modern authentication methods, OpenID Connect and OAuth, will be enforced. This change is akin to replacing an old lock on your office door with a new, more secure one. Just as you would update your office security to prevent unauthorized access, Microsoft is updating its authentication methods to enhance security.

The older IDCRL protocol is like an outdated lock that is easier for intruders to pick. OpenID Connect and OAuth are like state-of-the-art locks that provide better protection against unauthorized access. These modern protocols help ensure that only the right people and applications can access your data, much like how a secure lock ensures only authorized personnel can enter a building.

Starting January 31, 2026, any application or script using the old IDCRL protocol will be blocked by default. However, if your organization needs more time to transition, you can temporarily re-enable the old protocol using PowerShell until April 30, 2026. After this date, the old protocol will be permanently disabled, and all applications must use the new, secure methods.

Organizations currently using the IDCRL protocol should start planning their migration to the new protocols. This involves updating applications and scripts to use OpenID Connect or OAuth, much like updating keys and access cards for a new security system. IT administrators, app owners, and security teams should be informed about this change to ensure a smooth transition.

By moving to these modern authentication methods, organizations can better protect their data and reduce the risk of unauthorized access. It's a proactive step towards ensuring that only those with the right credentials can access sensitive information, similar to how a secure lock system ensures only authorized personnel can enter restricted areas.