Opt in to the Exchange Online endpoint for legacy TLS clients using POP3 or IMAP4
Exchange Online no longer supports use of TLS1.0 and TLS1.1 in the service as of October 2020. This change is due to security and compliance requirements for our service. While no longer supported, our servers still allow clients to use those older versions of TLS when connecting to the POP3/IMAP4 endpoint (outlook.office365.com).
In 2022, we plan to completely disable those older TLS versions to secure our customers, and meet those security and compliance requirements. However, due to significant usage, we've created an opt-in endpoint that legacy clients can use with TLS1.0 and TLS1.1.
Note
This opt-in endpoint isn't available in GCC, GCC-High, or DoD environments that have legacy TLS permanently turned off.
Configuring the new endpoint
If customers have POP3/IMAP4 clients that only support older TLS versions, they need to be configured to use the new endpoint for worldwide:
- pop-legacy.office365.com
- imap-legacy.office365.com
Customers who use Microsoft 365 operated by 21 Vianet need to configure their clients to use the endpoint:
- pop-legacy.partner.outlook.cn
- imap-legacy.partner.outlook.cn
Consumer users can use these less secure endpoints directly. For Enterprise users, tenant admins need to enable the following setting:
- The value
$truefor the AllowLegacyTLSClients parameter on theSet-TransportConfigcmdlet.
Opt in to legacy client endpoint
You can opt in (or opt out) for your organization in the new EAC or by using Exchange Online PowerShell.
To opt in with the new EAC, go to the Mail Flow settings page under Settings and toggle the setting labeled Turn on use of legacy TLS clients.
To opt in with Exchange Online PowerShell, run the following command:
Set-TransportConfig -AllowLegacyTLSClients $true
To view the current status of the property, run the following command in Exchange Online PowerShell:
Get-TransportConfig | Format-List AllowLegacyTLSClients