Microsoft to Deprecate Legacy TLS in Exchange Online Starting July 2026

Microsoft to Deprecate Legacy TLS in Exchange Online Starting July 2026

1) Overview

• Microsoft will block legacy TLS versions (TLS 1.0 and TLS 1.1) for POP3 and IMAP4 connections to Exchange Online.
• The deprecation is scheduled to begin in July 2026.
• The change targets legacy endpoints used by some POP/IMAP clients and devices; most modern clients already use TLS 1.2 or higher.
• The goal is to enforce the use of current, secure encryption protocols for email access over the Internet.

2) Why this change is occurring

• TLS 1.0 and TLS 1.1 have been considered outdated and less secure for many years.
• TLS 1.2 and newer versions provide stronger cryptographic protections and are widely supported by modern clients.
• Industry momentum toward deprecating older TLS versions has been accelerating for more than a decade, with browsers, operating systems, and security agencies pushing for upgraded configurations.
• In Exchange Online, this move is part of a broader effort to reduce attack surfaces and improve overall data protection for user traffic.

3) What will be affected

• POP3 and IMAP4 connections to Exchange Online will be constrained to TLS 1.2 or later.
• Connections using TLS 1.0 or TLS 1.1 will fail to authenticate or establish sessions.
• Legacy applications, devices, or embedded systems that rely on older TLS versions may stop connecting.
• Custom or built-in systems that embed or rely on legacy TLS endpoints may require updates to continue functioning.

4) Scope and expected impact

• The majority of Exchange Online users who access mail via POP or IMAP today already use TLS 1.2+; they are unlikely to be affected.
• Only customers who actively opted into legacy TLS endpoints in the past are likely to experience disruption when the deprecation is enforced.
• The change reinforces a broader industry transition away from insecure cryptographic configurations to modern, secure protocols.

5) Timeline and interim considerations

• July 2026: Legacy TLS support for POP3/IMAP4 will be removed from Exchange Online.
• Prior to July, Microsoft has indicated that support for legacy TLS was being phased out, with a push toward enabling and enforcing TLS 1.2+ by default.
• Historical context: TLS 1.0 and TLS 1.1 had already been deprecated in other major platforms, with TLS 1.3 increasingly adopted as a standard in recent years.

6) Context and related security trends

• The deprecation aligns with long-standing efforts to retire weak encryption and minimize exposure to network-based threats.
• Guidance from security authorities has consistently encouraged upgrading to modern TLS versions to reduce the risk of eavesdropping, tampering, and impersonation.
• The industry’s shift toward TLS 1.2+ and beyond has been reinforced by broader browser and platform security updates over the past several years.

7) Summary of expected user experience

• For most users: no change in behavior if their POP/IMAP clients already use TLS 1.2+.
• For some users: older clients or devices may fail to connect after the July 2026 deprecation unless they have been updated or replaced.
• For administrators and developers: validation of POP/IMAP client configurations and embedded integrations to confirm TLS support and readiness for TLS 1.2+.

8) Final note on the transition

• This move represents a concerted step toward securing Internet email traffic with current cryptographic standards.
• It emphasizes consistency with other major security efforts across platforms and services to reduce exposure to outdated protocols.