Published Jun 17, 2025
Microsoft 365 will update default settings to enhance security by blocking legacy authentication protocols and requiring admin consent for third-party app access. Changes start mid-July 2025 and complete by August 2025. Organizations should assess configurations, notify stakeholders, update documentation, and configure the Admin Consent workflow.
As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the “Secure by Default” principle, we are updating default settings in Microsoft 365 to help you meet the minimum security benchmark and harden your tenant’s security posture. These changes target legacy authentication protocols and app access permissions that may expose organizations to unnecessary risk.
This is the first step in a broader effort to evaluate and evolve Microsoft 365 defaults through the lens of security best practices.
When this will happen:
These changes will begin rolling out in mid-July 2025 and are expected to complete by August 2025.
How this affects your organization
The following settings will be updated:
| Settings | Impact |
| Block legacy browser authentication to SharePoint and OneDrive using RPS (Relying Party Suite) | Legacy authentication protocols like RPS (Relying Party Suite) are vulnerable to brute-force and phishing attacks due to non-modern authentication. Blocking this prevents applications that are using outdated methods from accessing SharePoint and OneDrive via browser. To use PowerShell to block legacy browser authentication, see Set-SPOTenant. |
| Block FPRPC (FrontPage Remote Procedure Call) protocol for Office file opens | FrontPage Remote Procedure Call (FPRPC) is a legacy protocol used for remote web page authoring. While no longer widely used, Legacy protocols such as FPRPC can be more susceptible to compromise and blocking FPRPC helps reduce exposure to vulnerabilities. With this change, FPRPC will be blocked for opening files, preventing the use of this non-modern protocol in Microsoft 365 clients. To learn how to block the FPRPC protocol, see turn on web content filtering. |
| Require admin consent for third-party apps accessing files and sites | Users allowing third-party apps to access file and site content can lead to overexposure of an organization’s content. Requiring admins to consent to this access can help reduce overexposure. With this change, Microsoft managed App Consent Policies will be enabled, and users will be unable to consent to third party applications accessing their files and sites by default. Instead, they can request administrators to consent on their behalf. To configure admin consent, follow instructions here: Configuring the Admin Consent workflow. Customers who have already blocked user consent, turned on our previously recommended consent settings, or applied custom user consent settings will not be affected by this change. |
These changes are on by default and apply to all Microsoft 365 tenants. No additional licensing is required.
What you can do to prepare:
We recommend the following actions:
Additional considerations