Microsoft has disclosed that it will shut down the Remote PowerShell Protocol (RPS) for Exchange Online as early as October 3, 2023. This decision is reported to affect Microsoft's worldwide service customers. The company has made it clear that organizations will not have the option to continue with the use of RPS for Exchange Online. Microsoft plans to inform its clients of the discontinuation of the service through a “Service Health Notification” that will be displayed in the Microsoft 365 Admin Center portal.
Changes Affecting Sovereign Cloud Customers
Alongside its worldwide service customers, Microsoft also stated that it intends to discontinue RPS for Exchange Online for customers on its sovereign cloud. The termination for these clients is reported to take place within the month. Microsoft is urging clients to shift from using RPS for Exchange Online and recommends the use of the Exchange Online PowerShell version 3 module instead. This alternative employs REST-based APIs and a distinct parameter for connections.
Termination Rooted In Security Concerns
Microsoft advanced rationale behind ending RPS's use with Exchange Online lies in security considerations. RPS was found to employ Basic Authentication, comprising a username and password, which was determined to be vulnerable to “password spray” attacks—these being repeated attempts at guessing commonly used passwords within an organization. Microsoft also identified a lack of support for multifactor authentication—a secondary method of user identity verification—in the Basic Authentication used by RPS.
In a previous announcement, Microsoft had given forewarning of its plan to end RPS's use with Exchange Online, dating more than a year back. Originally, customers were projected to lose access to RPS after July 1, 2023, however, a revised schedule was released for new tenancies, blocking them from using RPS after April 1, 2023. Microsoft's frequent announcements about RPS's deprecation have resulted in its reduced use, prompting the company to act in discontinuing the protocol.
Microsoft's commitment to improve the security of its products remains intact, and this decision is an example of their ongoing efforts.