check before: 2025-07-15
Product:
Entra, Microsoft 365 Apps, OneDrive, SharePoint
Platform:
Online, Web, World tenant
Status:
Change type:
Admin impact, Feature update, Updated message, User impact
Links:
Details:
Summary:
Microsoft 365 will update default settings to enhance security by blocking legacy authentication protocols and requiring admin consent for third-party app access. Changes start mid-July 2025 and complete by August 2025. Organizations should assess configurations, notify stakeholders, update documentation, and configure the Admin Consent workflow.
Details:
Updated July 18, 2025: We have updated the content. Thank you for your patience.
As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the "Secure by Default" principle, we are updating default settings in Microsoft 365 to help you meet the minimum security benchmark and harden your tenant's security posture. These changes target legacy authentication protocols and app access permissions that may expose organizations to unnecessary risk.
This is the first step in a broader effort to evaluate and evolve Microsoft 365 defaults through the lens of security best practices.
[When this will happen:]
These changes will begin rolling out in mid-July 2025 and are expected to complete by August 2025.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-06-18
updated:
2025-07-19
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Blocking Legacy Authentication Protocols
Blocking legacy authentication protocols like RPS may prevent users from accessing SharePoint and OneDrive, leading to disruptions in workflows that rely on these services.
- roles: End Users, IT Administrators
- references: https://aka.ms/entra-app-access, https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/manage-app-consent-policies
Blocking FPRPC Protocol
Blocking the FPRPC protocol will prevent users from opening Office files using outdated methods, potentially disrupting access for users who rely on these legacy protocols.
- roles: End Users, Content Creators
- references: https://go.microsoft.com/fwlink/p/?linkid=2324509, https://learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps#-legacybrowserauthprotocolsenabled
Admin Consent Requirement for Third-Party Apps
Requiring admin consent for third-party apps may slow down access to necessary tools for users, as they will need to wait for admin approval before using these applications.
- roles: End Users, IT Administrators
- references: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow, https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/manage-app-consent-policies
User Experience Disruption
Changes in authentication methods may lead to confusion among users who are accustomed to legacy methods, resulting in a negative user experience and potential productivity loss.
- roles: End Users, Support Staff
- references: https://go.microsoft.com/fwlink/p/?linkid=2324703, https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/manage-app-consent-policies
Documentation and Training Needs
The need to update internal documentation and train staff on new processes may lead to temporary inefficiencies and knowledge gaps during the transition period.
- roles: IT Administrators, Training Coordinators
- references: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow, https://learn.microsoft.com/en-us/powershell/module/microsoft.online.sharepoint.powershell/set-spotenant?view=sharepoint-ps#-legacybrowserauthprotocolsenabled
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
Enhanced Security Awareness Training
With the implementation of secure by default settings, there is an opportunity to enhance security awareness training for employees. This can help users understand the importance of avoiding legacy authentication and the risks associated with third-party app access, fostering a security-first culture.
- next-steps: Develop a training program that focuses on the new security settings, emphasizing the importance of secure practices and how to request admin consent for third-party apps.
- roles: IT Security Team, HR Training Department, All Employees
- references: https://www.csoonline.com/article/3537933/why-security-awareness-training-is-more-important-than-ever.html, https://www.sans.org/security-awareness-training/
Streamlined Admin Consent Workflow
By configuring the Admin Consent workflow effectively, organizations can streamline the process for users requesting access to third-party applications, improving user experience while maintaining security protocols.
- next-steps: Implement the admin consent workflow as outlined in the Microsoft documentation, and ensure it is communicated clearly to users on how to request app access.
- roles: IT Administrators, Application Owners, Security Teams
- references: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow, https://www.microsoft.com/en-us/security/blog/2020/09/29/understanding-the-admin-consent-workflow-in-azure-active-directory/
Regular Security Audits and Compliance Checks
The changes to Microsoft 365 settings provide a good opportunity to implement regular security audits and compliance checks to ensure that the organization adheres to the new security protocols and identifies any vulnerabilities.
- next-steps: Establish a schedule for conducting security audits and compliance checks focusing on the new settings, and assign responsibilities to relevant team members.
- roles: Compliance Officers, IT Security Team, IT Administrators
- references: https://www.csoonline.com/article/3537933/the-importance-of-security-audits.html, https://www.nist.gov/cyberframework
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-07-19 | MC Messages | As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the "Secure by Default" principle, we are updating default settings in Microsoft 365 to help you meet the minimum security benchmark and harden your tenant's security posture. These changes target legacy authentication protocols and app access permissions that may expose organizations to unnecessary risk.
This is the first step in a broader effort to evaluate and evolve Microsoft 365 defaults through the lens of security best practices. [When this will happen:] These changes will begin rolling out in mid-July 2025 and are expected to complete by August 2025. | Updated July 18, 2025: We have updated the content. Thank you for your patience.
As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the "Secure by Default" principle, we are updating default settings in Microsoft 365 to help you meet the minimum security benchmark and harden your tenant's security posture. These changes target legacy authentication protocols and app access permissions that may expose organizations to unnecessary risk. This is the first step in a broader effort to evaluate and evolve Microsoft 365 defaults through the lens of security best practices. [When this will happen:] These changes will begin rolling out in mid-July 2025 and are expected to complete by August 2025. |
| 2025-07-19 | MC Title | Microsoft 365 Upcoming Secure by Default Settings Changes | (Updated) Microsoft 365 Upcoming Secure by Default Settings Changes |
| 2025-07-19 | MC Last Updated | 06/18/2025 21:08:09 | 2025-07-18T20:30:25Z |
| 2025-07-19 | MC MessageTagNames | Feature update, User impact, Admin impact | Updated message, Feature update, User impact, Admin impact |
| 2025-07-19 | MC prepare | We recommend the following actions:
Assess current configurations: As applicable, identify current configurations for RPS or FPRPC protocols. Notify stakeholders: Inform IT admins, app owners, and security teams about the upcoming changes. Update documentation: Ensure internal guidance reflects the new defaults and admin consent process. Configure Admin Consent workflow: If third party apps access is applicable for your organization, learn how to set up the workflow: Configuring admin consent workflow. Additional considerations Does the change alter how existing customer data is processed, stored, or accessed? Yes - it blocks access to content via legacy authentication protocols. https://aka.ms/entra-app-access https://go.microsoft.com/fwlink/p/?linkid=2324508 https://go.microsoft.com/fwlink/p/?linkid=2324509 https://go.microsoft.com/fwlink/p/?linkid=2324703 https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/manage-app-consent-policies https://learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps#-legacybrowserauthprotocolsenabled https://learn.microsoft.com/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps | We recommend the following actions:
Assess current configurations: As applicable, identify current configurations for RPS or FPRPC protocols. Notify stakeholders: Inform IT admins, app owners, and security teams about the upcoming changes. Update documentation: Ensure internal guidance reflects the new defaults and admin consent process. Configure Admin Consent workflow: If third party apps access is applicable for your organization, learn how to set up the workflow: Configuring admin consent workflow. Additional considerations Does the change alter how existing customer data is processed, stored, or accessed? Yes - it blocks access to content via legacy authentication protocols. https://aka.ms/entra-app-access https://go.microsoft.com/fwlink/p/?linkid=2324509 https://go.microsoft.com/fwlink/p/?linkid=2324703 https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/manage-app-consent-policies https://learn.microsoft.com/en-us/powershell/module/microsoft.online.sharepoint.powershell/set-spotenant?view=sharepoint-ps#-legacybrowserauthprotocolsenabled https://learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps#-legacybrowserauthprotocolsenabled https://learn.microsoft.com/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps |
| 2025-06-19 | MC prepare | We recommend the following actions:
Assess current configurations: As applicable, identify current configurations for RPS or FPRPC protocols and review third-party apps that access SharePoint and OneDrive content. Notify stakeholders: Inform IT admins, app owners, and security teams about the upcoming changes. Update documentation: Ensure internal guidance reflects the new defaults and admin consent process. Configure Admin Consent workflow: If third party apps access is applicable for your organization, learn how to set up the workflow: Configuring admin consent workflow. Additional considerations Does the change alter how existing customer data is processed, stored, or accessed? Yes - it blocks access to content via legacy authentication protocols. https://aka.ms/AppConsentLearn https://aka.ms/entra-app-access https://go.microsoft.com/fwlink/p/?linkid=2324508 https://go.microsoft.com/fwlink/p/?linkid=2324509 https://go.microsoft.com/fwlink/p/?linkid=2324703 https://learn.microsoft.com/en-us/defender-endpoint/web-content-filtering https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/manage-app-consent-policies https://learn.microsoft.com/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps | We recommend the following actions:
Assess current configurations: As applicable, identify current configurations for RPS or FPRPC protocols. Notify stakeholders: Inform IT admins, app owners, and security teams about the upcoming changes. Update documentation: Ensure internal guidance reflects the new defaults and admin consent process. Configure Admin Consent workflow: If third party apps access is applicable for your organization, learn how to set up the workflow: Configuring admin consent workflow. Additional considerations Does the change alter how existing customer data is processed, stored, or accessed? Yes - it blocks access to content via legacy authentication protocols. https://aka.ms/entra-app-access https://go.microsoft.com/fwlink/p/?linkid=2324508 https://go.microsoft.com/fwlink/p/?linkid=2324509 https://go.microsoft.com/fwlink/p/?linkid=2324703 https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/manage-app-consent-policies https://learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps#-legacybrowserauthprotocolsenabled https://learn.microsoft.com/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps |
| 2025-06-19 | MC How Affect | The following settings will be updated:
SettingsImpact Block legacy browser authentication to SharePoint and OneDrive using RPS (Relying Party Suite)Legacy authentication protocols like RPS (Relying Party Suite) are vulnerable to brute-force and phishing attacks due to non-modern authentication. Blocking this prevents applications that are using outdated methods from accessing SharePoint and OneDrive via browser. To use PowerShell to block legacy browser authentication, see Set-SPOTenant. Block FPRPC (FrontPage Remote Procedure Call) protocol for Office file opensFrontPage Remote Procedure Call (FPRPC) is a legacy protocol used for remote web page authoring. While no longer widely used, Legacy protocols such as FPRPC can be more susceptible to compromise and blocking FPRPC helps reduce exposure to vulnerabilities. With this change, FPRPC will be blocked for opening files, preventing the use of this non-modern protocol in Microsoft 365 clients. To learn how to block the FPRPC protocol, see turn on web content filtering. Require admin consent for third-party apps accessing files and sitesUsers allowing third-party apps to access file and site content can lead to overexposure of an organization's content. Requiring admins to consent to this access can help reduce overexposure. With this change, Microsoft managed App Consent Policies will be enabled, and users will be unable to consent to third party applications accessing their files and sites by default. Instead, they can request administrators to consent on their behalf. To configure admin consent, follow instructions here: configuring the Admin Consent workflow. Customers who have already blocked user consent or applied custom user consent settings will not be affected by this change. Admins can also configure granular app access policies, such as limiting user access to the application for specific users or groups. Learn more here. These changes are on by default and apply to all Microsoft 365 tenants. No additional licensing is required. | The following settings will be updated:
SettingsImpact Block legacy browser authentication to SharePoint and OneDrive using RPS (Relying Party Suite)Legacy authentication protocols like RPS (Relying Party Suite) are vulnerable to brute-force and phishing attacks due to non-modern authentication. Blocking this prevents applications that are using outdated methods from accessing SharePoint and OneDrive via browser. To use PowerShell to block legacy browser authentication, see Set-SPOTenant. Block FPRPC (FrontPage Remote Procedure Call) protocol for Office file opensFrontPage Remote Procedure Call (FPRPC) is a legacy protocol used for remote web page authoring. While no longer widely used, Legacy protocols such as FPRPC can be more susceptible to compromise and blocking FPRPC helps reduce exposure to vulnerabilities. With this change, FPRPC will be blocked for opening files, preventing the use of this non-modern protocol in Microsoft 365 clients. To learn how to block the FPRPC protocol, see turn on web content filtering. Require admin consent for third-party apps accessing files and sitesUsers allowing third-party apps to access file and site content can lead to overexposure of an organization's content. Requiring admins to consent to this access can help reduce overexposure. With this change, Microsoft managed App Consent Policies will be enabled, and users will be unable to consent to third party applications accessing their files and sites by default. Instead, they can request administrators to consent on their behalf. To configure admin consent, follow instructions here: Configuring the Admin Consent workflow. Customers who have already blocked user consent, turned on our previously recommended consent settings, or applied custom user consent settings will not be affected by this change. Admins can also configure granular app access policies, such as limiting user access to the application for specific users or groups. Learn more here. These changes are on by default and apply to all Microsoft 365 tenants. No additional licensing is required. |
| 2025-06-19 | MC Last Updated | 06/18/2025 08:14:42 | 2025-06-18T21:08:09Z |
| 2025-06-18 | MC Last Updated | 06/18/2025 01:24:21 | 2025-06-18T08:14:42Z |
Last updated 1 month ago ago
