Microsoft 365 to block file access via legacy auth protocols by default
Microsoft has announced that it will start updating security defaults for all Microsoft 365 tenants in July to block access to SharePoint, OneDrive, and Office files via legacy authentication protocols.
These changes will also address application access permissions that can expose organizations to unnecessary security risks. The rollout is set to begin in mid-July 2025, with an estimated completion date by August 2025.
Microsoft will enable them by default for all Microsoft 365 tenants, across Microsoft Entra, Microsoft 365 apps, SharePoint Online, and Microsoft OneDrive, with no additional licensing required.
As the company explained in a Microsoft 365 admin center message on Tuesday, Microsoft 365 will automatically block legacy browser authentication to SharePoint and OneDrive using RPS (Relying Party Suite) after the changes roll out, together with FPRPC (FrontPage Remote Procedure Call) protocol for Office file opens.
“Legacy authentication protocols like RPS (Relying Party Suite) are vulnerable to brute-force and phishing attacks due to non-modern authentication. Blocking this prevents applications that are using outdated methods from accessing SharePoint and OneDrive via browser,” the company explained.
“FrontPage Remote Procedure Call (FPRPC) is a legacy protocol used for remote web page authoring. While no longer widely used, Legacy protocols such as FPRPC can be more susceptible to compromise and blocking FPRPC helps reduce exposure to vulnerabilities. With this change, FPRPC will be blocked for opening files, preventing the use of this non-modern protocol in Microsoft 365 clients.”
After the new security defaults roll out, Microsoft 365 tenants will also require admin consent for third-party apps to access files and sites, preventing users from overexposing their organization’s content.
With this change, Microsoft-managed App Consent Policies will prevent users from consenting to third-party applications accessing their files and sites by default until they have admin approval.
For configuring admin consent, you can refer to this Microsoft Entra support document. They can also configure granular access policies for specific users or groups, as detailed here.
“As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the ‘Secure by Default’ principle, we are updating default settings in Microsoft 365 to help you meet the minimum security benchmark and harden your tenant’s security posture,” Redmond added.
“This is the first step in a broader effort to evaluate and evolve Microsoft 365 defaults through the lens of security best practices.”
Since the start of the year, the company has also begun disabling all ActiveX controls in Windows versions of Microsoft 365 and Office 2024 applications and said it will start rolling out a new Teams feature designed to block screenshots during meetings in July.
More recently, Microsoft announced last week it will add .library-ms and .search-ms file types to the list of blocked Outlook attachments starting next month.
Patching used to mean complex scripts, long hours, and endless fire drills. Not anymore.
In this new guide, Tines breaks down how modern IT orgs are leveling up with automation. Patch faster, reduce overhead, and focus on strategic work — no complex scripts required.
Source link
