Microsoft 365 Brings the Shutters Down On Legacy Protocols

Starting mid-July 2025, Microsoft 365 will begin blocking legacy authentication protocols like Remote PowerShell and FrontPage RPC to enhance security under its "Secure by Default" initiative. Admins must now grant explicit consent for third-party app access, which could disrupt workflows but aims to reduce unauthorized data exposure. The Register reports: First in line for the chop is legacy browser authentication to SharePoint and OneDrive using the Remote PowerShell (RPS) protocol. According to Microsoft, legacy authentication protocols like RPS "are vulnerable to brute-force and phishing attacks due to non-modern authentication." The upshot is that attempting to access OneDrive or SharePoint via a browser using legacy authentication will stop working.

Also being blocked is the FrontPage Remote Procedure Call (RPC) protocol. Microsoft FrontPage was a web authoring tool that was discontinued almost two decades ago. However, the protocol for remote web authoring has lived on until now. Describing legacy protocols like RPC as "more susceptible to compromise," Microsoft will block them to prevent their use in Microsoft 365 clients.

Finally, third-party apps will need administrator consent to access files and sites. Microsoft said: "Users allowing third-party apps to access file and site content can lead to overexposure of an organization's content. Requiring admins to consent to this access can help reduce overexposure." "While laudable, shifting consent to the administrator could disrupt some workflows," writes The Register's Richard Speed. "The Microsoft-managed App Consent Policies will be enabled, and users will be unable to consent to third-party applications accessing their files and sites by default. Need consent? A user will need to request an administrator to consent on their behalf."

and widely used Oauth web auth is 12 years old

[will4]

How old does Oauth need to be before it's legacy and replaced by a more modern web authorization method?

Re:

[Tony Isaac]

Well, first, a better "modern" authentication system will need to exist and be widely available. Sure, there are lots of competing systems that are supposed to be more secure, but many of them are difficult to use, especially for nontechnical people.

OAuth itself has multiple versions, once the older versions become seen as insecure, they'll start to fade away.

Oh no!

[Train0987]

Not Frontpage!

Legacy authentication protocols ..

[Mirnotoriety]

Wouldn't be such a problem except Microsoft kept inventing propriarty protocols to achieve lock-in on the desktop.

Re:

[gweihir]

Indeed. And they screwed it up time and again. Greedy assholes.

"Secure by default" is a lie

[gweihir]

At least when Microsoft makes such a claim. The only way to get anything even close is to leave Microsoft behind and go for actual quality.

Not all bad, not all good ...

[nosfucious]

At least, this might crack down on a bunch of shadow IT. We've all seen it, users link up free/paid solution that are off ITs supported roadmap. Put on the departmental credit card.

Then it breaks and they turn to IT to fix it. And all the compliance and security risks that brings. (If its your personal data, find, go nuts. Company data, less so).

Now it will probably need to be raised to Administrators, so they can say things like "What? Why? When?" and "You're fire-trucking kidding me, right?"

However, as ot

Admin consent workflow is flawed

[ei4anb]

It does not allow the option of the admin approving the permission but still requiring that the user must consent. By skipping the user consent step, that increases the risk of a "drive by" attack where an attacker tricks a signed-in user into visiting a web page that includes Javascript which invokes the application (as a single page app so there is no need to know the Client Secret), automatically authenticates via SSO, and downloads the user's files without triggering any pop-up warning.
Although it has