MC1169566 – Exchange ActiveSync TLS 1.3 Certificate Based Authentication Change

Product:

Exchange

Platform:

Online, US Instances, World tenant

Status:

Change type:

Feature update, Admin impact

Links:

Details:

Summary:
Exchange ActiveSync Certificate-Based Authentication now supports TLS 1.3, routing traffic to new tenant-location-based endpoints. Most clients will redirect seamlessly, but organizations using Secure Email Gateways may need to update firewall settings. Rollout began globally, expanding to other clouds by November 2025.

Details:
As part of our ongoing security efforts, we have made a recent change to Certificate-Based Authentication (CBA) behavior for Exchange ActiveSync. The enhancement is designed to support TLS 1.3, strengthening security and reliability for our customers.
With this change all Exchange ActiveSync CBA traffic will be routed to new, dedicated endpoints based on tenant location

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2025-10-10

updated:
2025-10-10

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Firewall Configuration Issues
Organizations using Secure Email Gateways may experience disruptions if firewall settings are not updated to allow traffic to new CBA endpoints, potentially leading to email access issues for users.
   - roles: IT Administrators, Network Engineers
   - references: https://learn.microsoft.com/openspecs/exchange_server_protocols/ms-ashttp/7b7fabb9-910c-4f1c-9396-57d7ca579a31, https://aka.ms/EASTLS13

User Access Disruption
If the Secure Email Gateway is not properly configured, users may face difficulties accessing their email via Exchange ActiveSync, leading to a negative user experience.
   - roles: End Users, Help Desk Support
   - references: https://learn.microsoft.com/openspecs/exchange_server_protocols/ms-ashttp/7b7fabb9-910c-4f1c-9396-57d7ca579a31, https://datatracker.ietf.org/doc/html/rfc8446

Increased Support Tickets
The change may lead to an increase in support tickets as users report issues accessing email, overwhelming IT support teams if not prepared for the transition.
   - roles: Help Desk Support, IT Administrators
   - references: https://learn.microsoft.com/openspecs/exchange_server_protocols/ms-ashttp/7b7fabb9-910c-4f1c-9396-57d7ca579a31, https://aka.ms/EASTLS13

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

XXXXXXX ... free basic plan only

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

Exchange ActiveSync, a protocol used to sync emails, contacts, and calendars on mobile devices, is undergoing a change to enhance security. Imagine it like upgrading the locks on your office doors to the latest technology to ensure better protection. In this case, the "lock" is the TLS 1.3 protocol, which is a more secure way of encrypting data sent over the internet.

The change involves routing all Exchange ActiveSync traffic through new, specific pathways based on where your organization is located. Think of it like setting up dedicated lanes on a highway for different regions to improve traffic flow and security. Most users won't notice this change, as their devices will automatically switch to these new lanes without any action needed from them.

However, if your organization uses a Secure Email Gateway (SEG), which acts like a security checkpoint for your emails, you might need to adjust your settings. It's similar to updating the access list at your office's security desk to ensure that everyone can still enter the building smoothly. You may need to allow traffic to and from these new pathways to keep everything running seamlessly.

If you have any concerns or need assistance, reaching out to your SEG provider would be a good step. They can help ensure that your systems are aligned with these updates, maintaining a secure and efficient email environment.