Microsoft to Deprecate Legacy TLS in Exchange Online Starting July 2026
1) Overview
- Microsoft will block legacy TLS versions (TLS 1.0 and TLS 1.1) for POP3 and IMAP4 connections to Exchange Online.
- The deprecation is scheduled to begin in July 2026.
- The change targets legacy endpoints used by some POP/IMAP clients and devices; most modern clients already use TLS 1.2 or higher.
- The goal is to enforce the use of current, secure encryption protocols for email access over the Internet.
2) Why this change is occurring
- TLS 1.0 and TLS 1.1 have been considered outdated and less secure for many years.
- TLS 1.2 and newer versions provide stronger cryptographic protections and are widely supported by modern clients.
- Industry momentum toward deprecating older TLS versions has been accelerating for more than a decade, with browsers, operating systems, and security agencies pushing for upgraded configurations.
- In Exchange Online, this move is part of a broader effort to reduce attack surfaces and improve overall data protection for user traffic.
3) What will be affected
- POP3 and IMAP4 connections to Exchange Online will be constrained to TLS 1.2 or later.
- Connections using TLS 1.0 or TLS 1.1 will fail to authenticate or establish sessions.
- Legacy applications, devices, or embedded systems that rely on older TLS versions may stop connecting.
- Custom or built-in systems that embed or rely on legacy TLS endpoints may require updates to continue functioning.
4) Scope and expected impact
- The majority of Exchange Online users who access mail via POP or IMAP today already use TLS 1.2+; they are unlikely to be affected.
- Only customers who actively opted into legacy TLS endpoints in the past are likely to experience disruption when the deprecation is enforced.
- The change reinforces a broader industry transition away from insecure cryptographic configurations to modern, secure protocols.
5) Timeline and interim considerations
- July 2026: Legacy TLS support for POP3/IMAP4 will be removed from Exchange Online.
- Prior to July, Microsoft has indicated that support for legacy TLS was being phased out, with a push toward enabling and enforcing TLS 1.2+ by default.
- Historical context: TLS 1.0 and TLS 1.1 had already been deprecated in other major platforms, with TLS 1.3 increasingly adopted as a standard in recent years.
6) Context and related security trends
- The deprecation aligns with long-standing efforts to retire weak encryption and minimize exposure to network-based threats.
- Guidance from security authorities has consistently encouraged upgrading to modern TLS versions to reduce the risk of eavesdropping, tampering, and impersonation.
- The industry’s shift toward TLS 1.2+ and beyond has been reinforced by broader browser and platform security updates over the past several years.
7) Summary of expected user experience
- For most users: no change in behavior if their POP/IMAP clients already use TLS 1.2+.
- For some users: older clients or devices may fail to connect after the July 2026 deprecation unless they have been updated or replaced.
- For administrators and developers: validation of POP/IMAP client configurations and embedded integrations to confirm TLS support and readiness for TLS 1.2+.
8) Final note on the transition
- This move represents a concerted step toward securing Internet email traffic with current cryptographic standards.
- It emphasizes consistency with other major security efforts across platforms and services to reduce exposure to outdated protocols.
