"We're planning to fully deprecate support for legacy TLS versions (TLS 1.0 and TLS 1.1) for POP3 and IMAP4 connections to Exchange Online. These older TLS versions have been industry‑deprecated for some time and are no longer considered secure," Microsoft said.
What Microsoft is changing and when
Microsoft will begin blocking legacy Transport Layer Security (TLS) connections for POP and IMAP email clients connecting to Exchange Online starting in July 2026. The company says the change will require clients and applications to use TLS 1.2 or later, and that connections using TLS 1.0 or TLS 1.1 will fail once the deprecation is in effect.
Technical specifics: which protocols and clients are affected
TLS is the cryptographic protocol that protects information from eavesdropping, tampering, and message forgery when accessing email over the Internet via client/server applications. Microsoft noted that the original TLS 1.0 specification and its TLS 1.1 successor have been in use for more than two decades — TLS 1.0 was introduced in 1999 and TLS 1.1 in 2006 — and are now considered outdated and insecure for encrypting traffic.
Microsoft's update applies specifically to POP3 and IMAP4 connections to Exchange Online. While modern email clients already support TLS 1.2 or higher, legacy applications or embedded devices that rely on TLS 1.0 or 1.1 may stop connecting.
Immediate operational effects and guidance from Microsoft
- POP3 and IMAP4 connections will require TLS 1.2 or later.
- Connections using TLS 1.0 or TLS 1.1 will fail.
- Legacy applications or devices may stop connecting.
- Custom or embedded systems may require updates.
Microsoft advises Exchange Online customers who use POP or IMAP to check that their email clients and applications support TLS 1.2 or later and do not use legacy endpoints. The company explicitly recommends updating custom or embedded applications — for example, devices or legacy services — to versions that support modern TLS versions to avoid service disruptions.
"If you aren't sure if you are using legacy versions, check the configuration of your POP and IMAP clients and if you are, your application or device vendor can typically confirm TLS support and provide upgrade guidance," Microsoft added.
Who is likely to be affected and why
Microsoft says most users will not be affected: the vast majority of POP and IMAP traffic to Exchange Online today uses TLS 1.2 or higher, and modern email clients already support those newer protocols. The company also noted that it previously permitted the use of older TLS versions by allowing customers to opt into legacy endpoints; it is now removing that opt-in and removing support entirely.
Microsoft's expectation is that only customers who have explicitly opted into using legacy endpoints are impacted by the deprecation announced in this message center update.
Context from previous industry action and guidance
The deprecation follows broader industry and government moves to abandon TLS 1.0 and 1.1. In October 2018, Microsoft, Apple, Google, and Mozilla announced coordinated plans to retire TLS 1.0 and TLS 1.1 in the first half of 2020. Microsoft also began enabling TLS 1.3 by default starting with Windows 10 Insider builds released in August 2020. The U.S. National Security Agency (NSA) has issued guidance on identifying and replacing outdated TLS protocol versions and configurations with modern alternatives to reduce attack surface and prevent unauthorized access to data.
Microsoft's July 2026 enforcement is a concrete deadline: connections that still use TLS 1.0 or 1.1 will no longer work with Exchange Online. For organizations that run specialized devices, embedded systems, or custom integrations that use legacy endpoints, the next immediate steps are inventory and vendor engagement — confirm what TLS versions are in use and schedule upgrades where needed.
Source: BleepingComputer — Microsoft to deprecate legacy TLS in Exchange Online starting July
