💡 Our Technical Review in summary
Summary
- Microsoft is retiring the legacy IDCRL (Identity Client Run Time Library) authentication protocol for SharePoint Online and OneDrive for Business as part of the Secure Future Initiative (SFI).
- The transition enforces modern authentication standards, specifically OpenID Connect and OAuth, to improve security and reduce vulnerabilities associated with legacy methods.
- Key Timeline:
- January 31, 2026: Legacy authentication will be blocked by default (temporary re-enablement via PowerShell is possible).
- April 30, 2026: Final date for temporary re-enablement.
- May 1, 2026: IDCRL authentication will be permanently retired and cannot be re-enabled.
Impact
- Application Failure: Any custom scripts, third-party applications, or legacy desktop clients that rely on IDCRL to access SharePoint or OneDrive data will fail to authenticate after the block is enforced.
- Administrative Overhead: IT admins will need to identify and migrate legacy integrations to modern authentication to ensure business continuity.
- Temporary Workarounds: Between January and April 2026, admins can use the
Set-SPOTenantPowerShell command to temporarily allow legacy protocols if critical services are interrupted. - Security Posture: Removing IDCRL reduces the attack surface of the tenant by eliminating an outdated authentication path that does not natively support modern security features like Multi-Factor Authentication (MFA) in many scenarios.
Action Required
- Inventory Legacy Usage: Use Azure AD (Microsoft Entra) sign-in logs and SharePoint telemetry to identify clients or service principals currently using legacy authentication protocols.
- Migrate to Modern Auth: Update internal scripts and applications to use OpenID Connect or OAuth 2.0. For SharePoint-specific development, transition to the Microsoft Graph API or the latest SharePoint CSOM libraries that support modern auth.
- Update Tenant Settings: If legacy authentication is required during the transition period, familiarize yourself with the PowerShell command:
Set-SPOTenant -AllowLegacyAuthProtocolsEnabled $true. Note that this will only work until April 30, 2026. - Communicate with Stakeholders: Notify application owners, security teams, and internal developers about the retirement dates to ensure all dependencies are remediated before the January 2026 deadline.
- Documentation: Update internal IT documentation and service desk playbooks to reflect that legacy authentication is no longer supported for SharePoint and OneDrive.
Microsoft Official Update
Service: N/A
Category: planForChange
Severity: normal
Updated January 20, 2026: We are updating this post as a reminder. Thank you for your patience.
[Introduction:]
As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the “Secure by Default” principle, we’re retiring the legacy IDCRL (Identity Client Run Time Library) authentication protocol in SharePoint Online and OneDrive for Business. This change helps strengthen your organization’s security posture by enforcing modern authentication standards—OpenID Connect and OAuth—which reduce exposure to outdated and vulnerable authentication methods.
[When this will happen:]
- Starting January 31, 2026: Legacy client authentication will be blocked by default. Organizations may temporarily re-enable it using PowerShell until April 30, 2026.
- Starting May 1, 2026: Legacy client authentication will be permanently blocked and cannot be re-enabled.
[How this affects your organization:]
Who is affected:
- Organizations using clients, scripts, or applications that rely on the legacy IDCRL authentication protocol to access SharePoint Online or OneDrive for Business.
What will happen:
- Legacy authentication calls using IDCRL will be blocked by default starting January 31, 2026.
- Temporary re-enablement is possible via PowerShell until April 30, 2026.
- After May 1, 2026, IDCRL authentication will be permanently retired and cannot be re-enabled.
- Applications using IDCRL will fail to authenticate unless updated to use modern protocols.
[What you can do to prepare:]
We recommend migrating from legacy authentication protocols to modern authentication as soon as possible.
To prepare for this retirement:
- Migrate all clients, scripts, and applications to use OpenID Connect or OAuth protocols.
- Review current configurations for IDCRL authentication.
- Notify IT admins, app owners, and security teams about the upcoming retirement.
- Update internal documentation to reflect the new authentication defaults.
- Use telemetry to identify usage of legacy authentication protocols and monitor migration progress.
- Use PowerShell to manage legacy authentication settings if needed:
- Set
AllowLegacyAuthProtocolsEnabledSettingandLegacyAuthProtocolsEnabledtoTRUEto temporarily allow legacy authentication until April 30, 2026.
- Set
- Learn more:
[Compliance considerations:]
No compliance considerations identified, review as appropriate for your organization.
