Skip to main content
🦉
Message CenterMicrosoft 365 Updates
HomePermissionsTenant FinderM365 ReportPortfolio
🦉
M365 Message Centerby Cengiz YILMAZ

Track the latest updates, features, and announcements for Microsoft 365 services. Comprehensive archive of service updates and important changes.

Quick Links

HomePermissionsTenant FinderM365 ReportPortfolio

Connect

© 2026 M365 Message Center. Created with ❤ by Cengiz YILMAZ

Data sourced from Microsoft 365 Message Center • Not affiliated with Microsoft

  1. Home
  2. /
  3. MC1169566

Exchange ActiveSync TLS 1.3 Certificate Based Authentication Change

Plan for Change

Message ID

MC1169566
View in Admin Center

Services

Exchange Online

Summary

Exchange ActiveSync Certificate-Based Authentication now supports TLS 1.3, routing traffic to new tenant-location-based endpoints. Most clients will redirect seamlessly, but organizations using Secure Email Gateways may need to update firewall settings. Rollout began globally, expanding to other clouds by November 2025.

Details

As part of our ongoing security efforts, we have made a recent change to Certificate-Based Authentication (CBA) behavior for Exchange ActiveSync. The enhancement is designed to support TLS 1.3, strengthening security and reliability for our customers.

With this change all Exchange ActiveSync CBA traffic will be routed to new, dedicated endpoints based on tenant location

How this will affect your organization:

This change has already begun to roll out in the worldwide multi-tenant cloud and will start rolling out in other clouds starting November 2025. As a result of this change all Exchange ActiveSync CBA traffic will be routed to new, dedicated endpoints based on tenant location:

  • Multi-tenant (Worldwide and GCC): outlook-cba.office365.com
  • DoD: outlook-dod-cba.office365.us
  • GCC-High: outlook-cba.office365.us

What you need to do to prepare:

For most Exchange ActiveSync clients, this change will be seamless. The client traffic will be implicitly redirected to the new CBA endpoints without any user action required.

However, if your organization uses a Secure Email Gateway (SEG) or similar gateway that filters or inspects ActiveSync traffic, you may need to update your firewall or gateway configuration to allow traffic to and from the new CBA endpoints listed above.

If you have questions or concerns on this change, please contact your SEG vendor. We appreciate your cooperation and commitment to maintaining a secure environment.

Learn more:

Upcoming TLS Changes for Certificate Based Auth ActiveSync Traffic. 

RFC 8446 - The Transport Layer Security (TLS) Protocol Version 1.3

Specified at MS-ASHTTP: Authorization | Microsoft Learn ActiveSync official documentation, EAS requests without authorization header will be treated as a CBA request.  

Timeline

Published
Oct 10, 2025
Message published to Message Center
Updated
Oct 10, 2025
Message content updated
End Date
Jan 31, 2026
Message timeline ends

Tags

#Feature update#Admin impact

Category

Plan for Change

Related Messages

Similar updates

MC1187400

Syncing HiddenFromAddressListEnabled attribute across tenants for consistent Global Address List (GAL) visibility

Nov 17, 2025
MC1163922●

Upcoming Secure by Default Settings Changes for Exchange and Teams APIs

Oct 2, 2025
MC1163753●

Outlook on the web activity-based timeout is retiring

Oct 1, 2025
MC1143991

Limiting onmicrosoft domain usage for sending emails

Aug 29, 2025
MC1081538

Important Update to the Get-FederationInformation Cmdlet in Exchange Online

May 23, 2025