
Opt-in to the Exchange Online Endpoint for Legacy TLS Clients using SMTP Auth
We all know that Exchange online ended support for TLS 1.0 and TLS 1.1 in 2020 to meet the security and compliance requirements. However, Microsoft still allows clients to use legacy TLS versions to connect with Exchange Online.
In 2022, Microsoft has planned to completely disable older TLS versions in Exchange Online to improve security. If your organization still uses clients that aren’t compatible with TLS 1.2, then the new opt-in endpoint can be set to use the previous versions of TLS.
To uselegacy TLS versions, admins need to change the following settings.
- Use PowerShell to setAllowLegacyTLSClientsto $true.Connect to Exchange Online PowerShellbefore running the following cmdlets.
To viewthecurrent status of theAllowLegacyTLSClientsproperty, run the following cmdlet.
Get-TransportConfig| Format-ListAllowLegacyTLSClients
To opt-in, execute the below cmdlet.
Set-TransportConfig-AllowLegacyTLSClients$true
- Configure clients and devices to use the new endpoint smtp-legacy.office365.com
adminscanopt-out or force TLS 1.2by checkingtheTLS usage reportfor SMTP in Exchange Online.
To disable legacy TLS,admins need to modifythefollowing configurations.
- To set –AllowLegacyTLSClientsto false, execute the cmdlet as follows.
Set-TransportConfig-AllowLegacyTLSClients$false
- Configure clients to acceptsmtp.office365.comendpoint.
If you have not configured to use the legacy endpoint, you will get the following error message.
421 4.7.66 TLS 1.0 and 1.1 are not supported. Please upgrade/update your client to support TLS 1.2. Visit https://aka.ms/smtp_auth_tls
The error occurs due to Exchange Online rejecting a small number of TLS 1.0 or 1.1 submissions.
I hope this blog will help you review and opt-in legacy client endpoint settings. You can share your experience using TLS 1.0/1.1 in the comment section.