← Back
Exchange ActiveSync TLS 1.3 Certificate Based Authentication Change
MC1169566 · build prod-20251231-200323
Category
planForChange
Severity
normal
Major change
False
Last modified
2025-10-10 15:51:29
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
Action by (AI)
Services
Exchange Online
Tags
Feature update, Admin impact
Master tags
Security, Network
Roadmap IDs

One-line summary

Exchange ActiveSync CBA traffic will be routed to new, dedicated endpoints to support TLS 1.3; update SEG/firewall configs if filtering ActiveSync traffic.

Similar updates

More like this
MC1155427 Legacy TLS cipher suites will be deprecated in M365 services on October 20, 2025
Legacy TLS cipher suites will be deprecated in M365 services on October 20, 2025 Microsoft 365 will enforce stricter TLS cipher suite ... What will happen: Microsoft 365 services will only support the following TLS cipher suites: TLS 1.3 TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 .
MC1197103 (Updated) Exchange Online ActiveSync device support update
(Updated) Exchange Online ActiveSync device support update Starting March 1, 2026, Exchange Online will block devices using Exchange ActiveSync versions below 16.1 for improved security. Organizations must update mobile devices and apps to EAS 16.1 or higher. Exchange Online ActiveSync Device Support Update We’re making a change to improve.
MC1150664 Action Required: Update firewall configurations to include new network endpoints
Action Required: Update firewall configurations to include new network endpoints Starting December 2, 2025, Intune and Basic Mobility endpoints will use Azure Front Door IPs; update firewall allowlists to include AzureFrontDoor.MicrosoftSecurity ranges. As part of Microsoft’s ongoing Secure Future Initiative (SFI) , starting on or shortly after .
MC1111657 Second phase for KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication) begins today
Second phase for KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication) begins today Windows updates will enforce stricter certificate-based authentication from July 8, 2025, requiring CAs in the NTAuth store; full enforcement and policy bypass removal starts October 14, 2025. Starting with the April 8, 2025, Windows security.
MC1092195 Prepare for Kerberos CBA changes: Enforcement begins with July updates
Prepare for Kerberos CBA changes: Enforcement begins with July updates Windows updates will enforce stricter certificate-based authentication for domain controllers, requiring CAs in the NTAuth store starting July 8, 2025, with full enforcement October 14, 2025. ... for CVE-2025-26647These updates change how certificate-based authentication.
MC1150557 Certificate-based authentication changes following installation of Windows updates released September 9, 2025
Certificate-based authentication changes following installation of Windows updates released September 9, 2025 Starting September 9, 2025, Windows updates enforce new certificate mapping requirements on Windows Servers, ending gradual rollout and requiring immediate admin action to ensure authentication works. Windows updates released September 9,.

Details

Summary
Exchange ActiveSync Certificate-Based Authentication now supports TLS 1.3, routing traffic to new tenant-location-based endpoints. Most clients will redirect seamlessly, but organizations using Secure Email Gateways may need to update firewall settings. Rollout began globally, expanding to other clouds by November 2025.

Body (from Message Center)

As part of our ongoing security efforts, we have made a recent change to Certificate-Based Authentication (CBA) behavior for Exchange ActiveSync. The enhancement is designed to support TLS 1.3, strengthening security and reliability for our customers.

With this change all Exchange ActiveSync CBA traffic will be routed to new, dedicated endpoints based on tenant location

[How this will affect your organization:]

This change has already begun to roll out in the worldwide multi-tenant cloud and will start rolling out in other clouds starting November 2025. As a result of this change all Exchange ActiveSync CBA traffic will be routed to new, dedicated endpoints based on tenant location:

  • Multi-tenant (Worldwide and GCC): outlook-cba.office365.com
  • DoD: outlook-dod-cba.office365.us
  • GCC-High: outlook-cba.office365.us

[What you need to do to prepare:]

For most Exchange ActiveSync clients, this change will be seamless. The client traffic will be implicitly redirected to the new CBA endpoints without any user action required.

However, if your organization uses a Secure Email Gateway (SEG) or similar gateway that filters or inspects ActiveSync traffic, you may need to update your firewall or gateway configuration to allow traffic to and from the new CBA endpoints listed above.

If you have questions or concerns on this change, please contact your SEG vendor. We appreciate your cooperation and commitment to maintaining a secure environment.

Learn more:

Upcoming TLS Changes for Certificate Based Auth ActiveSync Traffic. 

RFC 8446 - The Transport Layer Security (TLS) Protocol Version 1.3

Specified at [MS-ASHTTP]: Authorization | Microsoft Learn ActiveSync official documentation, EAS requests without authorization header will be treated as a CBA request.  

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw 
{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": null,
    "ai_actions": [
      "Update SEG/firewall to allow new CBA endpoints if filtering ActiveSync traffic"
    ],
    "ai_master_tags": [
      "Security",
      "Network"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "Exchange ActiveSync CBA traffic will be routed to new, dedicated endpoints to support TLS 1.3; update SEG/firewall configs if filtering ActiveSync traffic.",
    "ai_topics": [
      "Exchange"
    ],
    "category": "planForChange",
    "details_map": {
      "Summary": "Exchange ActiveSync Certificate-Based Authentication now supports TLS 1.3, routing traffic to new tenant-location-based endpoints. Most clients will redirect seamlessly, but organizations using Secure Email Gateways may need to update firewall settings. Rollout began globally, expanding to other clouds by November 2025."
    },
    "id": "MC1169566",
    "importance": 1,
    "is_major_change": false,
    "last_modified": "2025-10-10T15:51:29Z",
    "ms_products": [
      "Exchange"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Exchange Online"
    ],
    "severity": "normal",
    "tags": [
      "Feature update",
      "Admin impact"
    ],
    "title": "Exchange ActiveSync TLS 1.3 Certificate Based Authentication Change"
  }
}