check before: 2026-01-30
Product:
OneDrive, SharePoint
Platform:
Developer, Online, World tenant
Status:
Change type:
Admin impact, Retirement, Updated message, User impact
Links:
Details:
Summary:
Microsoft is retiring the legacy IDCRL authentication protocol in SharePoint Online and OneDrive for Business by January 31, 2026, enforcing modern OpenID Connect and OAuth protocols. Legacy authentication will be blocked by default, with temporary re-enablement via PowerShell until April 30, 2026, and permanent retirement from May 1, 2026. Organizations should migrate to modern authentication promptly.
Details:
Updated December 9, 2025: We are updating this post as a reminder. Thank you for your patience.
[Introduction:]
As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the "Secure by Default" principle, we're retiring the legacy IDCRL (Identity Client Run Time Library) authentication protocol in SharePoint Online and OneDrive for Business. This change helps strengthen your organization's security posture by enforcing modern authentication standards-OpenID Connect and OAuth-which reduce exposure to outdated and vulnerable authentication methods.
[When this will happen:]
Starting January 31, 2026: Legacy client authentication will be blocked by default. Organizations may temporarily re-enable it using PowerShell until April 30, 2026.
Starting May 1, 2026: Legacy client authentication will be permanently blocked and cannot be re-enabled.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-11-11
updated:
2025-12-10
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Authentication Failure
Applications relying on IDCRL will fail to authenticate, leading to service disruptions for users.
- roles: IT Administrators, End Users
- references: https://devblogs.microsoft.com/microsoft365dev/migrating-from-idcrl-authentication-to-modern-authentication-in-sharepoint/
Increased Support Requests
Users may experience issues logging in, resulting in a surge of support requests to IT.
- roles: Help Desk Support, End Users
- references: https://devblogs.microsoft.com/microsoft365dev/migrating-from-idcrl-authentication-to-modern-authentication-in-sharepoint/
Security Vulnerabilities
Continuing to use legacy authentication without migration may expose the organization to security risks.
- roles: Security Teams, IT Administrators
- references: https://devblogs.microsoft.com/microsoft365dev/migrating-from-idcrl-authentication-to-modern-authentication-in-sharepoint/
Operational Downtime
If migration is not completed before the deadline, critical applications may become inoperable, causing downtime.
- roles: Application Owners, IT Administrators
- references: https://devblogs.microsoft.com/microsoft365dev/migrating-from-idcrl-authentication-to-modern-authentication-in-sharepoint/
User Experience Degradation
Users may face interruptions in accessing SharePoint and OneDrive services, leading to frustration and decreased productivity.
- roles: End Users, Project Managers
- references: https://devblogs.microsoft.com/microsoft365dev/migrating-from-idcrl-authentication-to-modern-authentication-in-sharepoint/
Configutation Options**
XXXXXXX ... paid membership only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-12-10 | MC Last Updated | 11/11/2025 01:38:05 | 2025-12-09T18:47:23Z |
| 2025-12-10 | MC Messages | [Introduction:]
As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the "Secure by Default" principle, we're retiring the legacy IDCRL (Identity Client Run Time Library) authentication protocol in SharePoint Online and OneDrive for Business. This change helps strengthen your organization's security posture by enforcing modern authentication standards-OpenID Connect and OAuth-which reduce exposure to outdated and vulnerable authentication methods. [When this will happen:] Starting January 31, 2026: Legacy client authentication will be blocked by default. Organizations may temporarily re-enable it using PowerShell until April 30, 2026. Starting May 1, 2026: Legacy client authentication will be permanently blocked and cannot be re-enabled. | Updated December 9, 2025: We are updating this post as a reminder. Thank you for your patience.
[Introduction:] As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the "Secure by Default" principle, we're retiring the legacy IDCRL (Identity Client Run Time Library) authentication protocol in SharePoint Online and OneDrive for Business. This change helps strengthen your organization's security posture by enforcing modern authentication standards-OpenID Connect and OAuth-which reduce exposure to outdated and vulnerable authentication methods. [When this will happen:] Starting January 31, 2026: Legacy client authentication will be blocked by default. Organizations may temporarily re-enable it using PowerShell until April 30, 2026. Starting May 1, 2026: Legacy client authentication will be permanently blocked and cannot be re-enabled. |
| 2025-12-10 | MC MessageTagNames | User impact, Admin impact, Retirement | Updated message, User impact, Admin impact, Retirement |
Last updated 20 hours ago ago
