Exchange Online Deprecates Legacy TLS for POP/IMAP4

Written By Tej Pratap Shukla

Approved By Anuraag Singh

Modified On April 28th, 2026

Reading Time 5 Min Read

In the late evening of 27th April 2026, Microsoft made the announcement that Exchange Online deprecates legacy TLS for POP/IMAP4 accounts.

This is yet another step to boost the security of its cloud infrastructure. Starting from July 2026, you won’t be able to connect to Exchange Online if you still use TLS 1.0 or 1.1.

In this guide, I will explain what it means for your organization and what needs to be done to stay prepared before the changes roll out.

There’s no way to skip this update, as it happens regardless of whether you opt in or not.

Switching off access to old, outdated, and less secure protocols is not unprecedented; it has happened in the past and, as the trend shows, will continue to happen down the line. So let us begin by understanding what the insecure part of the legacy TLS was and the reason for its deprecation.

Table of Contents Hide

Why Microsoft Retires Legacy POP/IMAP4 TLS in Exchange Online?

The major reason for this is nothing but security. More specifically, second-guessing TLS 1.0 and 1.1 is weak against protocol downgrade attacks. This sort of sophisticated multilayer intrusion is why admins start to doubt themselves and wonder if IMAP is secure or not.

The answer is not a simple yes or no. The underlying cryptographic layers are very much part of the equation. Moreover, if you still force your company to remain on TLS 1.0 or 1.1, you are a prime case study on how IMAP can be a security threat to a company.

Consider the following security points:

NIST guidelines and PCI DSS require TLS 1.2. So if you don’t use it, you are in compliance violation.
TLS 1.2 has AEAD (Authenticated Encryption with Associated Data), not present in previous versions, which helps to prevent MITM (Man-in-the-middle) type data tampering attacks.
Zero support for modern cipher suites (such as AES-GCM) standard in all security standards is absent in TLS 1.1 and 1.0, so their deprecation allows organizations to level up their encryption.

Centralize Your Existing Infrastructure Before Deprecation Goes Live

The upcoming changes in the TLS version support of Exchange Online mean that many IT teams have to rethink the way they use their infrastructure. One interesting idea that is gaining traction is to transfer IMAP emails to a new host entirely.

This process is similar to when personal users merge iCloud email accounts or merge two Yahoo email accounts into an all-new O365 repository.

Quitting less secure infra may feel tiresome, but trust me, you don’t want to be a sitting duck for nefarious entities.

So use a professional tool like the SysTools IMAP Migration Tool to carry out all email data transfers during your server modernization.

Download Now Purchase Now

The platform-agnostic (available on both Windows and Mac) utility comes ready to use from the get-go. Completely GUI, no scripts or confusing code. So, try the free demo to reduce the risk before the TLS (1.0 and 1.1) July 2026 cutoff.

Conclusion

Here, I informed you about the upcoming changes where Exchange Online deprecates legacy TLS connections for any organization that still relies on it.

The reasons Microsoft listed for ending the support were mainly due to the security vulnerability present in the old protocols. Plus, the presence of newer, faster, and significantly more secure platforms means that remaining on the old is no longer viable.

The date July 2026 is fixed. It won’t see any extension, so use this time wisely. If possible, modernize other aspects of your IT infrastructure too.

Frequently Asked Questions

Q: What will happen if I don’t update the connections before the July 2026 deadline?

Once the deadline expires and you still operate TLS 1.1 / 1.0, then none of your existing connections to Exchange Online will work. In fact, Microsoft will explicitly block all connection attempts. This would disrupt your day-to-day work routine. Plus, changing from an already defunct system will put more strain on your organization.

Q: Does the change affect all email clients, including Outlook New and Thunderbird?

No. Clients like Outlook, Apple Mail, etc., are already on the latest server settings, including modern, more secure TLS protocols. The legacy options were only made available for organizations that were still stuck with prior software commitments. Moreover, they were only a temporary lifeline from the get-go.

Q: Is it a good idea to use this shutdown as an excuse to permanently get rid of legacy connections?

Yes, legacy shutdowns are the perfect opportunities to perform digital infra overhauls that have been long overdue. Just make sure to choose the right partner to make the transition fast and smooth. The alternative is that you will be stuck midway when the deprecation happens. Your environment will be exposed to outside attackers.

Q: Is it possible to check if my Exchange Online environment has legacy TLS opt-in enabled?

Yes, you can check the current configuration pretty easily via PowerShell. All you have to do is type in the following command in a PowerShell instance with admin-level access:

Get-TransportConfig | Format-List AllowLegacyTLSClients

If the return value is True, then your environment has active legacy connections, and you need to update them. Once the changes are complete, run the test again. This time, the same command will return a different output, “False”. This will prove that your environment is ready for the deprecation.