Category
planForChange
Severity
normal
Major change
True
Last modified
2025-12-09 17:47:23
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
2026-01-30 08:00:00
Action by (AI)
—
Services
SharePoint Online, Microsoft OneDrive
Tags
Updated message, User impact, Admin impact, Retirement
Master tags
Security
Roadmap IDs
One-line summary
Legacy IDCRL authentication in SharePoint Online and OneDrive for Business will be blocked by default on Jan 31, 2026, and permanently retired on May 1, 2026; migrate to modern authentication protocols.
Similar updates
More like thisMC693865 (Updated) SharePoint Add-In retirement in Microsoft 365
(Updated) SharePoint Add-In retirement in Microsoft 365 SharePoint Add-Ins will retire and stop working on April 2, 2026; migrate customizations to SharePoint Framework (SPFx) and notify users and developers. Updated October 3, 2025: This update serves as a... Since the release of SharePoint Add-Ins in 2013, Microsoft has evolved SharePoint.
MC693863 (Updated) Azure ACS retirement in Microsoft 365
(Updated) Azure ACS retirement in Microsoft 365 Azure ACS will retire for SharePoint Online on April 2, 2026; update custom apps and integrations to use Microsoft Entra ID to maintain access. Since the first use of Azure Access Control Services (ACS) by SharePoint in 2013, Microsoft has evolved the authorization and authentication options for.
MC1193419 Content Security Policies (CSP) are coming to SharePoint Online and might impact your custom SPFx solutions
Content Security Policies (CSP) are coming to SharePoint Online and might impact your custom SPFx solutions SharePoint Online will enforce Content Security Policy on March 1, 2026, blocking scripts from non-trusted sources and requiring updates to custom SPFx solutions using untrusted or inline scripts. We’re improving SharePoint Online security.
MC1184996 Legacy SharePoint Online Content Delivery Network (CDN) domain to be retired—review configurations
Legacy SharePoint Online Content Delivery Network (CDN) domain to be retired—review configurations SharePoint Online will retire the legacy CDN domain publiccdn.sharepoi... [Introduction] As part of ongoing service modernization, Microsoft has migrated the hosting of SharePoint Online static assets to the Microsoft Azure Front Door (AFD) content.
MC1072889 (Updated) SharePoint Alerts retirement
(Updated) SharePoint Alerts retirement SharePoint Alerts will be retired; creation ends for all tenants Jan 2026, and all alerts stop working July 2026. Updated October 22, 2025: We have updated the content belo... Microsoft is retiring the SharePoint Alerts feature to streamline and modernize user notifications. With Power Automate,.
MC1055555 (Updated) Microsoft SharePoint Online: We will remove retired DISCO and WSDL web pages
(Updated) Microsoft SharePoint Online: We will remove retired DISCO and WSDL web pages SharePoint Online is removing deprecated ASP.NET DISCO and WSDL pages; removal began in late October 2025 and will finish by end of November 2025. Use Microsoft Graph for remote operations. Learn more: Removal of deprecated DISCO & WSDL aspx pages from.
Details
Summary
Microsoft is retiring the legacy IDCRL authentication protocol in SharePoint Online and OneDrive for Business by January 31, 2026, enforcing modern OpenID Connect and OAuth protocols. Legacy authentication will be blocked by default, with temporary re-enablement via PowerShell until April 30, 2026, and permanent retirement from May 1, 2026. Organizations should migrate to modern authentication promptly.
Body (from Message Center)
Updated December 9, 2025: We are updating this post as a reminder. Thank you for your patience.
[Introduction:]
As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the “Secure by Default” principle, we’re retiring the legacy IDCRL (Identity Client Run Time Library) authentication protocol in SharePoint Online and OneDrive for Business. This change helps strengthen your organization’s security posture by enforcing modern authentication standards—OpenID Connect and OAuth—which reduce exposure to outdated and vulnerable authentication methods.
[When this will happen:]
- Starting January 31, 2026: Legacy client authentication will be blocked by default. Organizations may temporarily re-enable it using PowerShell until April 30, 2026.
- Starting May 1, 2026: Legacy client authentication will be permanently blocked and cannot be re-enabled.
[How this affects your organization:]
Who is affected:
- Organizations using clients, scripts, or applications that rely on the legacy IDCRL authentication protocol to access SharePoint Online or OneDrive for Business.
- Legacy authentication calls using IDCRL will be blocked by default starting January 31, 2026.
- Temporary re-enablement is possible via PowerShell until April 30, 2026.
- After May 1, 2026, IDCRL authentication will be permanently retired and cannot be re-enabled.
- Applications using IDCRL will fail to authenticate unless updated to use modern protocols.
[What you can do to prepare:]
We recommend migrating from legacy authentication protocols to modern authentication as soon as possible.
To prepare for this retirement:
- Migrate all clients, scripts, and applications to use OpenID Connect or OAuth protocols.
- Review current configurations for IDCRL authentication.
- Notify IT admins, app owners, and security teams about the upcoming retirement.
- Update internal documentation to reflect the new authentication defaults.
- Use telemetry to identify usage of legacy authentication protocols and monitor migration progress.
- Use PowerShell to manage legacy authentication settings if needed:
- Set
AllowLegacyAuthProtocolsEnabledSettingandLegacyAuthProtocolsEnabledtoTRUEto temporarily allow legacy authentication until April 30, 2026.
- Set
- Learn more:
[Compliance considerations:]
No compliance considerations identified, review as appropriate for your organization.
Raw JSON (for debugging)
Expand/collapse the full payload below.
Show/hide raw
{
"snapshot_item": {
"action_required_by": "2026-01-30T08:00:00Z",
"ai_action_required_by": null,
"ai_actions": [
"Migrate clients and apps to OpenID Connect or OAuth",
"Review and update configurations using IDCRL",
"Notify IT and app owners",
"Update internal documentation",
"Monitor legacy protocol usage",
"Use PowerShell to manage legacy auth if needed"
],
"ai_master_tags": [
"Security"
],
"ai_model": "gpt-4.1",
"ai_summary": "Legacy IDCRL authentication in SharePoint Online and OneDrive for Business will be blocked by default on Jan 31, 2026, and permanently retired on May 1, 2026; migrate to modern authentication protocols.",
"ai_topics": [
"SharePoint",
"OneDrive"
],
"category": "planForChange",
"details_map": {
"Summary": "Microsoft is retiring the legacy IDCRL authentication protocol in SharePoint Online and OneDrive for Business by January 31, 2026, enforcing modern OpenID Connect and OAuth protocols. Legacy authentication will be blocked by default, with temporary re-enablement via PowerShell until April 30, 2026, and permanent retirement from May 1, 2026. Organizations should migrate to modern authentication promptly."
},
"id": "MC1184649",
"importance": 5,
"is_major_change": true,
"last_modified": "2025-12-09T17:47:23Z",
"ms_products": [
"SharePoint",
"OneDrive"
],
"platforms": null,
"roadmap_ids": [],
"services": [
"SharePoint Online",
"Microsoft OneDrive"
],
"severity": "normal",
"tags": [
"Updated message",
"User impact",
"Admin impact",
"Retirement"
],
"title": "Microsoft SharePoint: Retirement of IDCRL authentication protocol and enforcement of OpenID Connect and OAuth protocols"
}
}