Microsoft is enhancing security measures for Microsoft 365 by implementing default blocks on legacy protocols and third-party applications, necessitating immediate action from users.
In a significant move to bolster security, Microsoft has announced that many legacy protocols will be deactivated by default across its Office applications, Entra, SharePoint Online, and OneDrive. This initiative is part of the Secure Future Initiative (SFI), which aims to align the default configurations of Microsoft services with a secure-by-default principle. The changes will impact all Microsoft 365 tenants, including both administrators and users.
Specifically, Microsoft 365 will now block web browser access to SharePoint and OneDrive via the RPS protocol (Relying Party Suite), which has been identified as vulnerable to brute force attacks. This protocol was commonly used with outdated web browsers or client applications that required access to cloud services without modern authentication technologies. Additionally, the FPRPC protocol, which was once utilized to open Office documents, will also be blocked. This protocol, originating from the now-defunct web design tool FrontPage, is considered outdated and poses security risks, yet it continues to be employed in legacy applications and automated processes within organizations.
Third-party developers remain outside for now
Moreover, Microsoft will require explicit approval from administrators for third-party applications seeking access to files and pages. Users will no longer be able to grant this consent independently. Administrators will have the ability to manage associated rights with granularity, allowing them to restrict access for specific programs to individual users or groups.
The implications of these changes are multifaceted. While they undoubtedly enhance the security of the Microsoft 365 standard configuration, there is a potential downside: applications that were previously functional may cease to operate without manual intervention from administrators. Consequently, Microsoft advises that organizations promptly identify any affected applications. For those utilizing third-party developer apps in conjunction with Microsoft 365, establishing a workflow for access approval is recommended.
The transition to these new settings is scheduled to begin in mid-July 2025, with completion expected by August. Further details regarding these changes can be accessed in the Microsoft 365 Message Center under entry MC1097272.
Windows 365: Practical feature deactivated
Simultaneously, Microsoft is rolling out new security settings for its Windows 365 cloud PCs. By default, the linking of clipboard, storage, USB devices, and printers between cloud systems and local computers will be disabled. This change will affect only newly set up cloud PCs, although the feature can be activated retroactively.
For those configuring Windows 365 using a Windows 11 Gallery image, VBS, Credential Guard, and HVCI will be activated by default on the new system. More information regarding these security updates for Cloud PCs can be found in the Tech Community. Microsoft plans to implement these new Windows 365 defaults in the latter half of 2025.