Microsoft SharePoint: Retirement of IDCRL authentication protocol and enforcement of OpenID Connect and OAuth protocols

February 5, 2026 at 6:30 PM Updated

Summary

Microsoft is retiring the legacy IDCRL authentication protocol in SharePoint Online and OneDrive for Business by January 31, 2026, enforcing modern OpenID Connect and OAuth protocols. Legacy authentication will be blocked by default, with temporary re-enablement via PowerShell until April 30, 2026, and permanent retirement from May 1, 2026. Organizations should migrate to modern authentication promptly.

New

Microsoft is retiring the legacy IDCRL authentication protocol in SharePoint Online and OneDrive for Business by May 1, 2026, enforcing modern OpenID Connect and OAuth protocols. Legacy authentication will be blocked starting February 16, 2026, with temporary re-enablement via PowerShell until April 30, 2026. Organizations must migrate to modern authentication.

Last Updated Date

New

2026-02-05T17:48:51.620Z

Body Content

[Introduction:]

As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the “Secure by Default” principle, we’re retiring the legacy IDCRL (Identity Client Run Time Library) authentication protocol in SharePoint Online and OneDrive for Business. This change helps strengthen your organization’s security posture by enforcing modern authentication standards—OpenID Connect and OAuth—which reduce exposure to outdated and vulnerable authentication methods.

[When this will happen:]

Starting January 31, 2026: Legacy client authentication will be blocked by default. Organizations may temporarily re-enable it using PowerShell until April 30, 2026.
Starting May 1, 2026: Legacy client authentication will be permanently blocked and cannot be re-enabled.

[How this affects your organization:]

Who is affected:

Organizations using clients, scripts, or applications that rely on the legacy IDCRL authentication protocol to access SharePoint Online or OneDrive for Business.

What will happen:

Legacy authentication calls using IDCRL will be blocked by default starting January 31, 2026.
Temporary re-enablement is possible via PowerShell until April 30, 2026.
After May 1, 2026, IDCRL authentication will be permanently retired and cannot be re-enabled.
Applications using IDCRL will fail to authenticate unless updated to use modern protocols.

[What you can do to prepare:]

We recommend migrating from legacy authentication protocols to modern authentication as soon as possible.

To prepare for this retirement:

Migrate all clients, scripts, and applications to use OpenID Connect or OAuth protocols.
Review current configurations for IDCRL authentication.
Notify IT admins, app owners, and security teams about the upcoming retirement.
Update internal documentation to reflect the new authentication defaults.
Use telemetry to identify usage of legacy authentication protocols and monitor migration progress.
Use PowerShell to manage legacy authentication settings if needed:
- Set AllowLegacyAuthProtocolsEnabledSetting and LegacyAuthProtocolsEnabled to TRUE to temporarily allow legacy authentication until April 30, 2026.
Learn more:
- Migrating from IDCRL authentication to modern authentication in SharePoint | Microsoft 365 Developer Blog | Microsoft Dev Blogs
- Set-SPOTenant (Microsoft.Online.SharePoint.PowerShell) | Microsoft Learn

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

New

Updated February 5, 2026: We have updated the timeline. Thank you for your patience.

[Introduction:]

As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the “Secure by Default” principle, we’re retiring the legacy IDCRL (Identity Client Run Time Library) authentication protocol in SharePoint Online and OneDrive for Business. This change helps strengthen your organization’s security posture by enforcing modern authentication standards—OpenID Connect and OAuth—which reduce exposure to outdated and vulnerable authentication methods.

[When this will happen:]

Starting February 16, 2026: Legacy client authentication will be blocked by default. Organizations may temporarily re-enable it using PowerShell until April 30, 2026.
Starting May 1, 2026: Legacy client authentication will be permanently blocked and cannot be re-enabled.

[How this affects your organization:]

Who is affected:

Organizations using clients, scripts, or applications that rely on the legacy IDCRL authentication protocol to access SharePoint Online or OneDrive for Business.

What will happen:

Legacy authentication calls using IDCRL will be blocked by default starting February 16, 2026.
Temporary re-enablement is possible via PowerShell until April 30, 2026.
After May 1, 2026, IDCRL authentication will be permanently retired and cannot be re-enabled.
Applications using IDCRL will fail to authenticate unless updated to use modern protocols.

[What you can do to prepare:]

We recommend migrating from legacy authentication protocols to modern authentication as soon as possible.

To prepare for this retirement:

Migrate all clients, scripts, and applications to use OpenID Connect or OAuth protocols.
Review current configurations for IDCRL authentication.
Notify IT admins, app owners, and security teams about the upcoming retirement.
Update internal documentation to reflect the new authentication defaults.
Use telemetry to identify usage of legacy authentication protocols and monitor migration progress.
Use PowerShell to manage legacy authentication settings if needed:
- Set AllowLegacyAuthProtocolsEnabledSetting and LegacyAuthProtocolsEnabled to TRUE to temporarily allow legacy authentication until April 30, 2026.
Learn more:
- Migrating from IDCRL authentication to modern authentication in SharePoint | Microsoft 365 Developer Blog | Microsoft Dev Blogs
- Set-SPOTenant (Microsoft.Online.SharePoint.PowerShell) | Microsoft Learn

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

February 2, 2026 at 4:31 PM Updated

Last Updated Date

New

2026-02-02T16:00:00.977Z

Body Content

[Introduction:]

As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the “Secure by Default” principle, we’re retiring the legacy IDCRL (Identity Client Run Time Library) authentication protocol in SharePoint Online and OneDrive for Business. This change helps strengthen your organization’s security posture by enforcing modern authentication standards—OpenID Connect and OAuth—which reduce exposure to outdated and vulnerable authentication methods.

[When this will happen:]

Starting January 31, 2026: Legacy client authentication will be blocked by default. Organizations may temporarily re-enable it using PowerShell until April 30, 2026.
Starting May 1, 2026: Legacy client authentication will be permanently blocked and cannot be re-enabled.

[How this affects your organization:]

Who is affected:

Organizations using clients, scripts, or applications that rely on the legacy IDCRL authentication protocol to access SharePoint Online or OneDrive for Business.

What will happen:

Legacy authentication calls using IDCRL will be blocked by default starting January 31, 2026.
Temporary re-enablement is possible via PowerShell until April 30, 2026.
After May 1, 2026, IDCRL authentication will be permanently retired and cannot be re-enabled.
Applications using IDCRL will fail to authenticate unless updated to use modern protocols.

[What you can do to prepare:]

We recommend migrating from legacy authentication protocols to modern authentication as soon as possible.

To prepare for this retirement:

Migrate all clients, scripts, and applications to use OpenID Connect or OAuth protocols.
Review current configurations for IDCRL authentication.
Notify IT admins, app owners, and security teams about the upcoming retirement.
Update internal documentation to reflect the new authentication defaults.
Use telemetry to identify usage of legacy authentication protocols and monitor migration progress.
Use PowerShell to manage legacy authentication settings if needed:
- Set AllowLegacyAuthProtocolsEnabledSetting and LegacyAuthProtocolsEnabled to TRUE to temporarily allow legacy authentication until April 30, 2026.
Learn more:
- Migrating from IDCRL authentication to modern authentication in SharePoint | Microsoft 365 Developer Blog | Microsoft Dev Blogs
- Set-SPOTenant (Microsoft.Online.SharePoint.PowerShell) | Microsoft Learn

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

New

Updated February 2, 2026: We are updating this post as a reminder. Thank you for your patience.

[Introduction:]

As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the “Secure by Default” principle, we’re retiring the legacy IDCRL (Identity Client Run Time Library) authentication protocol in SharePoint Online and OneDrive for Business. This change helps strengthen your organization’s security posture by enforcing modern authentication standards—OpenID Connect and OAuth—which reduce exposure to outdated and vulnerable authentication methods.

[When this will happen:]

Starting January 31, 2026: Legacy client authentication will be blocked by default. Organizations may temporarily re-enable it using PowerShell until April 30, 2026.
Starting May 1, 2026: Legacy client authentication will be permanently blocked and cannot be re-enabled.

[How this affects your organization:]

Who is affected:

Organizations using clients, scripts, or applications that rely on the legacy IDCRL authentication protocol to access SharePoint Online or OneDrive for Business.

What will happen:

Legacy authentication calls using IDCRL will be blocked by default starting January 31, 2026.
Temporary re-enablement is possible via PowerShell until April 30, 2026.
After May 1, 2026, IDCRL authentication will be permanently retired and cannot be re-enabled.
Applications using IDCRL will fail to authenticate unless updated to use modern protocols.

[What you can do to prepare:]

We recommend migrating from legacy authentication protocols to modern authentication as soon as possible.

To prepare for this retirement:

Migrate all clients, scripts, and applications to use OpenID Connect or OAuth protocols.
Review current configurations for IDCRL authentication.
Notify IT admins, app owners, and security teams about the upcoming retirement.
Update internal documentation to reflect the new authentication defaults.
Use telemetry to identify usage of legacy authentication protocols and monitor migration progress.
Use PowerShell to manage legacy authentication settings if needed:
- Set AllowLegacyAuthProtocolsEnabledSetting and LegacyAuthProtocolsEnabled to TRUE to temporarily allow legacy authentication until April 30, 2026.
Learn more:
- Migrating from IDCRL authentication to modern authentication in SharePoint | Microsoft 365 Developer Blog | Microsoft Dev Blogs
- Set-SPOTenant (Microsoft.Online.SharePoint.PowerShell) | Microsoft Learn

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

January 20, 2026 at 6:30 PM Updated

Last Updated Date

New

2026-01-20T17:39:19.757Z

Body Content

[Introduction:]

As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the “Secure by Default” principle, we’re retiring the legacy IDCRL (Identity Client Run Time Library) authentication protocol in SharePoint Online and OneDrive for Business. This change helps strengthen your organization’s security posture by enforcing modern authentication standards—OpenID Connect and OAuth—which reduce exposure to outdated and vulnerable authentication methods.

[When this will happen:]

Starting January 31, 2026: Legacy client authentication will be blocked by default. Organizations may temporarily re-enable it using PowerShell until April 30, 2026.
Starting May 1, 2026: Legacy client authentication will be permanently blocked and cannot be re-enabled.

[How this affects your organization:]

Who is affected:

Organizations using clients, scripts, or applications that rely on the legacy IDCRL authentication protocol to access SharePoint Online or OneDrive for Business.

What will happen:

Legacy authentication calls using IDCRL will be blocked by default starting January 31, 2026.
Temporary re-enablement is possible via PowerShell until April 30, 2026.
After May 1, 2026, IDCRL authentication will be permanently retired and cannot be re-enabled.
Applications using IDCRL will fail to authenticate unless updated to use modern protocols.

[What you can do to prepare:]

We recommend migrating from legacy authentication protocols to modern authentication as soon as possible.

To prepare for this retirement:

Migrate all clients, scripts, and applications to use OpenID Connect or OAuth protocols.
Review current configurations for IDCRL authentication.
Notify IT admins, app owners, and security teams about the upcoming retirement.
Update internal documentation to reflect the new authentication defaults.
Use telemetry to identify usage of legacy authentication protocols and monitor migration progress.
Use PowerShell to manage legacy authentication settings if needed:
- Set AllowLegacyAuthProtocolsEnabledSetting and LegacyAuthProtocolsEnabled to TRUE to temporarily allow legacy authentication until April 30, 2026.
Learn more:
- Migrating from IDCRL authentication to modern authentication in SharePoint | Microsoft 365 Developer Blog | Microsoft Dev Blogs
- Set-SPOTenant (Microsoft.Online.SharePoint.PowerShell) | Microsoft Learn

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

New

Updated January 20, 2026: We are updating this post as a reminder. Thank you for your patience.

[Introduction:]

As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the “Secure by Default” principle, we’re retiring the legacy IDCRL (Identity Client Run Time Library) authentication protocol in SharePoint Online and OneDrive for Business. This change helps strengthen your organization’s security posture by enforcing modern authentication standards—OpenID Connect and OAuth—which reduce exposure to outdated and vulnerable authentication methods.

[When this will happen:]

Starting January 31, 2026: Legacy client authentication will be blocked by default. Organizations may temporarily re-enable it using PowerShell until April 30, 2026.
Starting May 1, 2026: Legacy client authentication will be permanently blocked and cannot be re-enabled.

[How this affects your organization:]

Who is affected:

Organizations using clients, scripts, or applications that rely on the legacy IDCRL authentication protocol to access SharePoint Online or OneDrive for Business.

What will happen:

Legacy authentication calls using IDCRL will be blocked by default starting January 31, 2026.
Temporary re-enablement is possible via PowerShell until April 30, 2026.
After May 1, 2026, IDCRL authentication will be permanently retired and cannot be re-enabled.
Applications using IDCRL will fail to authenticate unless updated to use modern protocols.

[What you can do to prepare:]

We recommend migrating from legacy authentication protocols to modern authentication as soon as possible.

To prepare for this retirement:

Migrate all clients, scripts, and applications to use OpenID Connect or OAuth protocols.
Review current configurations for IDCRL authentication.
Notify IT admins, app owners, and security teams about the upcoming retirement.
Update internal documentation to reflect the new authentication defaults.
Use telemetry to identify usage of legacy authentication protocols and monitor migration progress.
Use PowerShell to manage legacy authentication settings if needed:
- Set AllowLegacyAuthProtocolsEnabledSetting and LegacyAuthProtocolsEnabled to TRUE to temporarily allow legacy authentication until April 30, 2026.
Learn more:
- Migrating from IDCRL authentication to modern authentication in SharePoint | Microsoft 365 Developer Blog | Microsoft Dev Blogs
- Set-SPOTenant (Microsoft.Online.SharePoint.PowerShell) | Microsoft Learn

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

January 6, 2026 at 6:30 PM Updated

Last Updated Date

New

2026-01-06T17:18:04.740Z

Body Content

[Introduction:]

As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the “Secure by Default” principle, we’re retiring the legacy IDCRL (Identity Client Run Time Library) authentication protocol in SharePoint Online and OneDrive for Business. This change helps strengthen your organization’s security posture by enforcing modern authentication standards—OpenID Connect and OAuth—which reduce exposure to outdated and vulnerable authentication methods.

[When this will happen:]

Starting January 31, 2026: Legacy client authentication will be blocked by default. Organizations may temporarily re-enable it using PowerShell until April 30, 2026.
Starting May 1, 2026: Legacy client authentication will be permanently blocked and cannot be re-enabled.

[How this affects your organization:]

Who is affected:

Organizations using clients, scripts, or applications that rely on the legacy IDCRL authentication protocol to access SharePoint Online or OneDrive for Business.

What will happen:

Legacy authentication calls using IDCRL will be blocked by default starting January 31, 2026.
Temporary re-enablement is possible via PowerShell until April 30, 2026.
After May 1, 2026, IDCRL authentication will be permanently retired and cannot be re-enabled.
Applications using IDCRL will fail to authenticate unless updated to use modern protocols.

[What you can do to prepare:]

We recommend migrating from legacy authentication protocols to modern authentication as soon as possible.

To prepare for this retirement:

Migrate all clients, scripts, and applications to use OpenID Connect or OAuth protocols.
Review current configurations for IDCRL authentication.
Notify IT admins, app owners, and security teams about the upcoming retirement.
Update internal documentation to reflect the new authentication defaults.
Use telemetry to identify usage of legacy authentication protocols and monitor migration progress.
Use PowerShell to manage legacy authentication settings if needed:
- Set AllowLegacyAuthProtocolsEnabledSetting and LegacyAuthProtocolsEnabled to TRUE to temporarily allow legacy authentication until April 30, 2026.
Learn more:
- Migrating from IDCRL authentication to modern authentication in SharePoint | Microsoft 365 Developer Blog | Microsoft Dev Blogs
- Set-SPOTenant (Microsoft.Online.SharePoint.PowerShell) | Microsoft Learn

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

New

Updated January 6, 2026: We are updating this post as a reminder. Thank you for your patience.

[Introduction:]

As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the “Secure by Default” principle, we’re retiring the legacy IDCRL (Identity Client Run Time Library) authentication protocol in SharePoint Online and OneDrive for Business. This change helps strengthen your organization’s security posture by enforcing modern authentication standards—OpenID Connect and OAuth—which reduce exposure to outdated and vulnerable authentication methods.

[When this will happen:]

Starting January 31, 2026: Legacy client authentication will be blocked by default. Organizations may temporarily re-enable it using PowerShell until April 30, 2026.
Starting May 1, 2026: Legacy client authentication will be permanently blocked and cannot be re-enabled.

[How this affects your organization:]

Who is affected:

Organizations using clients, scripts, or applications that rely on the legacy IDCRL authentication protocol to access SharePoint Online or OneDrive for Business.

What will happen:

Legacy authentication calls using IDCRL will be blocked by default starting January 31, 2026.
Temporary re-enablement is possible via PowerShell until April 30, 2026.
After May 1, 2026, IDCRL authentication will be permanently retired and cannot be re-enabled.
Applications using IDCRL will fail to authenticate unless updated to use modern protocols.

[What you can do to prepare:]

We recommend migrating from legacy authentication protocols to modern authentication as soon as possible.

To prepare for this retirement:

Migrate all clients, scripts, and applications to use OpenID Connect or OAuth protocols.
Review current configurations for IDCRL authentication.
Notify IT admins, app owners, and security teams about the upcoming retirement.
Update internal documentation to reflect the new authentication defaults.
Use telemetry to identify usage of legacy authentication protocols and monitor migration progress.
Use PowerShell to manage legacy authentication settings if needed:
- Set AllowLegacyAuthProtocolsEnabledSetting and LegacyAuthProtocolsEnabled to TRUE to temporarily allow legacy authentication until April 30, 2026.
Learn more:
- Migrating from IDCRL authentication to modern authentication in SharePoint | Microsoft 365 Developer Blog | Microsoft Dev Blogs
- Set-SPOTenant (Microsoft.Online.SharePoint.PowerShell) | Microsoft Learn

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

December 9, 2025 at 6:31 PM Updated

Last Updated Date

New

2025-12-09T17:47:23.010Z

DeltaPulse now has a public MCP server. Add / integrate this tool with your Copilot Agent(s).

Microsoft SharePoint: Retirement of IDCRL authentication protocol and enforcement of OpenID Connect and OAuth protocols

Summary

Details

Change History

Never Miss a Microsoft 365 Update