IT Navigator - Daymark Solutions Blog

Microsoft 365 Upcoming "Secure by Default" Settings Changes

Written by Blake Bernard | Wed, Jul 02, 2025

Microsoft is making changes to their Secure Future Initiative (SFI) and the principle of “Secure by Default.” The updates to Microsoft 365 default settings will strengthen your tenant’s security and meet essential benchmarks. These changes focus on addressing vulnerabilities associated with outdated authentication protocols and app access permissions that could increase risks to organizations.

When this will happen:

These changes will begin rolling out in mid-July 2025 and are expected to be completed by August 2025.

How this affects your organization

The following settings will be updated:

Settings

Impact

Block legacy browser authentication to SharePoint and OneDrive using RPS (Relying Party Suite)

Legacy authentication protocols like RPS (Relying Party Suite) are vulnerable to brute-force and phishing attacks due to non-modern authentication. Blocking this prevents applications that use outdated methods from accessing SharePoint and OneDrive via browser. To use PowerShell to block legacy browser authentication, see Set-SPOTenant.

Block FPRPC (FrontPage Remote Procedure Call) protocol for Office file opens

FrontPage Remote Procedure Call (FPRPC) is a legacy protocol used for remote web page authoring. While no longer widely used, legacy protocols such as FPRPC can be more susceptible to compromise, and blocking FPRPC helps reduce exposure to vulnerabilities. With this change, FPRPC will be blocked from opening files, preventing the use of this non-modern protocol in Microsoft 365 clients. To learn how to block the FPRPC protocol, see turn on web content filtering.

Require admin consent for third-party app access to files and sites

Users allowing third-party apps to access file and site content can lead to overexposure of an organization’s content. Requiring admins to consent to this access can help reduce overexposure. With this change, Microsoft-managed App Consent Policies will be enabled, and users will be unable to consent to third-party applications accessing their files and sites by default. Instead, they can request administrators to consent on their behalf. To configure admin consent, follow instructions here: Configuring the Admin Consent Workflow. Customers who have already blocked user consent, turned on our previously recommended consent settings, or applied custom user consent settings, will not be affected by this change.
Admins can also configure granular app access policies, such as limiting user access to the application for specific users or groups. Learn more here.

These changes are on by default and apply to all Microsoft 365 tenants. No additional licensing is required.

What you can do to prepare:

Microsoft recommends the following actions:

  • Assess current configurations: As applicable, identify current configurations for RPS or FPRPC protocols.
  • Notify stakeholders: Inform IT admins, app owners, and security teams about the upcoming changes.
  • Update documentation: Ensure internal guidance reflects the new defaults and admin consent process.
  • Configure Admin Consent workflow: If third party app access is applicable for your organization, learn how to set up the workflow: Configuring admin consent workflow.

Additional considerations

  • Does the change alter how existing customer data is processed, stored, or accessed? Yes — it blocks access to content via legacy authentication protocols.

How Daymark Can Help

Security settings are a top priority for all organizations. If you’d like guidance on making the right changes, please reach out. Daymark Microsoft consultants are happy to help.
View full post