Old apps and third-party providers blocked: Major Microsoft 365 security impact
Microsoft is now blocking legacy protocols and third-party providers by default: This increases M365 security, but users must act immediately.
(Image: IB Photography/Shutterstock.com)
More security for Microsoft 365 by default: In the future, many legacy protocols will be deactivated by default for the Office applications, Entra, SharePoint Online and OneDrive. The changes are part of the Secure Future Initiative (SFI), in which Microsoft is adapting the default configuration of its services based on the secure-by-default principle. This explicitly affects all Microsoft 365 tenants as well as administrators and users alike.
Specifically, M365 will in future block web browser access to SharePoint and OneDrive via the RPS protocol (Relying Party Suite). It is susceptible to brute force attacks and was previously used with old web browsers or client applications that had to access cloud services without modern authentication technology.
M365 also blocks the FPRPC protocol, which was previously used to open Office documents. The name FrontPage Remote Procedure Call shows that it originates from the web design tool FrontPage, which was discontinued almost 20 years ago. Access via FPRPC is correspondingly outdated and security-prone, but it is still used like RPS in legacy applications and automated processes in companies.
Third-party developers remain outside for now
Finally, Microsoft will in future require third-party applications to be explicitly approved by the administrator when accessing files and pages. By default, users will no longer be able to give this consent themselves. Those responsible can control the associated rights granularly, for example by restricting certain programs to individual users or groups.
The effects of the changes are double-edged: on the one hand, they undoubtedly increase the security of the M365 standard configuration. On the other hand, applications that were previously used could stop working from one day to the next without manual intervention by administrators – which is why Microsoft recommends identifying affected applications immediately. If third-party developer apps are used together with M365, those responsible should also set up a workflow for approving access.
The changeover will take place from mid-July 2025 and should be completed by August. Further information on the changes can be found in the Microsoft 365 Message Center under the entry MC1097272.
Videos by heise
Windows 365: Practical feature deactivated
At the same time, Microsoft is introducing new security settings for its Windows 365 cloud PCs: By default, the linking of the clipboard, storage, USB devices and the printer between cloud systems and the local computer will be deactivated in the future. Only newly set up cloud PCs are impacted; the practical feature can be activated retrospectively.
Anyone setting up Windows 365 with a Windows 11 Gallery image will in future activate VBS, Credential Guard and HVCI on the new system by default. Details on the security updates for Cloud PCs can be found in the Tech Community. Microsoft plans to introduce the new Windows 365 defaults in the second half of 2025.
(fo)
