Microsoft will disable Transport Layer Security versions 1.0 and 1.1 for POP3 and IMAP4 connections to Exchange Online starting July 2026, ending prolonged support for legacy protocols and pushing users toward modern security standards.
- TLS 1.0 and 1.1 will be blocked starting July 2026 on Exchange Online POP3 and IMAP4
- Most clients already use TLS 1.2 or newer, minimizing overall impact
- Legacy users who opted in must update clients or risk connection failures
What happened
Microsoft announced that beginning in July 2026, it will block the use of TLS versions 1.0 and 1.1 for POP3 and IMAP4 connections to Exchange Online. These legacy protocols, which have been deprecated for several years, are no longer considered secure and their use has been steadily phased out since 2020. Although Exchange Online stopped supporting these protocols for general use as early as 2020, users who previously opted into legacy endpoints to maintain compatibility with older clients have had continued access until now.
This latest enforcement reflects Microsoft’s ongoing efforts to strengthen security compliance and reduce the risk associated with outdated encryption standards. While TLS 1.0 was introduced in 1999 and TLS 1.1 in 2006, both have been officially deprecated since 2021. Microsoft has historically prioritized backward compatibility for its enterprise customers, which delayed this mandatory shift but now ensures all users transition to modern, secure protocols.
Why it matters
The deprecation of TLS 1.0 and 1.1 is crucial for maintaining secure email communications, as these protocols possess vulnerabilities that can be exploited by attackers. By enforcing the block, Microsoft aims to eliminate weak security links within the Exchange Online service, thereby safeguarding user data and meeting contemporary compliance requirements. Most modern email clients and libraries already support TLS 1.2 or higher, which significantly reduces the risk of operational issues for the majority of users.
However, some organizations and individual users still rely on older email client software that does not support newer TLS versions, particularly for POP3 and IMAP4 access methods. These users could experience disrupted service or loss of email connectivity once Microsoft enforces the block. Consequently, there may be a surge in support requests as affected users scramble to update their configurations or replace non-compliant software.
What to watch next
Organizations using Exchange Online should audit their email clients and connection methods to confirm that they support TLS 1.2 or higher well before the July 2026 deadline. Users who had explicitly opted into continued use of legacy TLS endpoints must prioritize moving away from these obsolete protocols to prevent service interruptions. IT administrators can leverage this window to phase out outdated systems and educate end users on the importance of modern security standards.
Additionally, monitoring official Microsoft communications and client updates will be critical as the cutoff approaches. While Microsoft expects minimal impact due to widespread adoption of modern TLS versions, any lingering legacy dependencies could still generate operational challenges. Proactively evaluating third-party tools, legacy devices, and client applications that connect via POP3 or IMAP4 will mitigate the risk of last-minute failures and summer support bottlenecks.