Microsoft 365 – MAJOR UPDATE : Secure by Default Settings Changes

Hi All,

Greetings for the day!!!

Today, I am sharing MAJOR UPDATE related to security.

MAJOR UPDATE:

• Microsoft 365 will update default settings to enhance security by blocking legacy authentication protocols.
• Requiring admin consent for third-party app access.

Details

• Microsoft 365 will update default settings to enhance security by blocking legacy authentication protocols.
• Requiring admin consent for third-party app access.
• Microsoft is updating default settings in Microsoft 365 to help to meet the minimum security benchmark and harden our tenant’s security posture
• These changes target
  • legacy authentication protocols and
  • app access permissions that may expose organizations to unnecessary risk.
• Microsoft will enable these settings by default for all Microsoft 365 tenants, across
  • Microsoft Entra,
  • Microsoft 365 apps,
  • SharePoint Online, and
  • Microsoft OneDrive, with no extra licensing required.

Following Settings will be updated

1. Block FPRPC (FrontPage Remote Procedure Call) protocol for Office file opens
   • FrontPage Remote Procedure Call (FPRPC) is a legacy protocol used for remote web page authoring.
   • Legacy protocols such as FPRPC can be more susceptible to compromise and blocking FPRPC helps reduce exposure to vulnerabilities.
   • With this change, FPRPC will be blocked for
     • opening files,
     • preventing the use of this non-modern protocol in Microsoft 365 clients. 
2. Block legacy browser authentication to SharePoint and OneDrive using RPS (Relying Party Suite)
   • Legacy authentication protocols like RPS (Relying Party Suite) are vulnerable to brute-force and phishing attacks due to non-modern authentication.
   • Blocking this prevents applications that are using outdated methods from accessing SharePoint and OneDrive via browser.
   • We can use PowerShell to block legacy browser authentication. We have detailed articles.
     • Microsoft 365: PowerShell – How to Block legacy browser authentication to SharePoint and OneDrive – https://knowledge-junction.in/2025/06/22/m365-ps-block-legacy-browser-authentication-to-spo-onedrive/
3. Require admin consent for third-party apps accessing files and sites
   • Users allowing third-party apps to access file and site content can lead to overexposure of an organization’s content.
   • Requiring admins to consent to this access can help reduce overexposure.
   • With this change,
     • Microsoft managed App Consent Policies will be enabled, and
     • Users will be unable to consent to third party applications accessing their files and sites by default.
   • Instead, they can request administrators to consent on their behalf.
   • Customers who have already blocked user consent will not be affected by this change.
   • Those who turned on our previously recommended consent settings will also remain unaffected.
   • This change will not impact customers who applied custom user consent settings.
   • Admins can also configure granular app access policies, like limiting user access to the application for specific users or groups.
   • We can configure “Consent and permissions” settings from Microsoft Entra admin center. As shown in image below.

TIMELINE

• Updates will start from mid – July 2025
• Updates will be completed by Aug 2025

REFERENCES

• How to Block legacy browser authentication to SharePoint and OneDrive – https://knowledge-junction.in/2025/06/22/m365-ps-block-legacy-browser-authentication-to-spo-onedrive/
• Configure the admin consent workflow – https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow

Thanks for reading 🙂

Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more. If you have any suggestion / feedback / doubt, you are most welcome.