Microsoft to block TLS 1.0/1.1 for Exchange Online POP and IMAP in July

Microsoft will fully deprecate TLS 1.0 and TLS 1.1 for POP3 and IMAP4 connections to Exchange Online starting July 2026. After the cutoff, any client still negotiating those legacy versions will fail to connect — TLS 1.2 or higher becomes mandatory. Microsoft had previously blocked these protocols by default but kept an opt-in path; that escape hatch is now being closed.

The practical impact should be narrow. Microsoft says nearly all current POP/IMAP traffic already runs on TLS 1.2+, and only tenants that explicitly opted back into the legacy endpoints should see breakage. The risk sits with embedded devices, custom integrations, and aging line-of-business apps that quietly rely on outdated TLS stacks and may need vendor updates before July.

The move is consistent with the broader industry retirement of TLS 1.0/1.1, originally coordinated by Microsoft, Apple, Google, and Mozilla in 2018 for a 2020 sunset. Continuing to permit those versions on a major mail surface left a known weak link for downgrade and passive interception attacks; closing the opt-in eliminates it.