PowerShell (PS) cmdlets in Exchange Online use Remote PowerShell (RPS) for client to server communication. Unfortunately, RPS is legacy technology that is outdated and can pose security risks. As such, we recommend all customers move to the new more secure REST-based v3 PowerShell module, which will help us improve security – together.
- In December 2022, we announced the deprecation of RPS in Exchange Online, and that RPS will be disabled for all customers starting in June 2023.
- In March 2023, we announced that on April 1, 2023, we will start blocking RPS connections for all tenants created on or after April 1, 2023.
Although we want all customers to switch from RPS to the v3 PowerShell module, we understand that some customers may need extra time to make that switch.
Today we are announcing that customers who need more time to make the switch can re-enable RPS (if we have disabled it for you) and use it for a little longer.
At this time, this blog post applies only to tenants in our WW cloud. We will update the information for tenants in other clouds within several weeks.
We have released a self-service tool in the Microsoft 365 admin center and the Exchange admin center that admins can use to request an extension or re-enablement of RPS. We are adding this tool to help you minimize disruptions as you transition away from using RPS. We want you to use the tool only if you really need to use RPS, and not just because you think you might need to.
As mentioned earlier, we recommend using our REST-based v3 module which is more secure and performant. By continuing to use RPS, you may be putting yourself at risk, and the best way to mitigate that risk is to move to the v3 module, which you can install from here.
Using the Self-Service Tool
You can go to the RPS self-service tool by clicking on the button below, which will take you directly to the tool in the Microsoft 365 admin center if you’re a Global Admin.
You can also go to the Microsoft 365 admin center or the Exchange admin center and click on the green Help & Support button in the lower right-hand corner of the screen which looks like this:
When you click the button, you enter our self-service help system. Here you can enter the magic phrase “Diag: Enable RPS in EXO”.
Click Run Tests to check your tenant settings to see if we have disabled RPS, and then review the results. If we have not disabled RPS for your tenant, and you are running the diagnostic, we will offer you the option to temporarily opt out of RPS disablement or re-enable RPS, as per the timeline in the table below.
Click the checkbox and then click Update.
That’s it. Once you submit the opt out request, we will not disable RPS for your tenant, based on the timeline in the table below. Tenants that qualify can request an opt out until September 2023. On September 1, 2023, we will retire the self-service tool, and on October 1, 2023, we will begin turning off RPS in all tenants, regardless of opt-out status or usage.
Note: Self-service re-enablement of RPS works only for WW tenants.
To reiterate, requesting an opt-out for RPS could put your tenant data at security risk. If you are not sure if you need RPS, let us turn it off and wait to see what happens. You can always re-enable it through September 2023 using the tool, and while this might cause some disruption, the upside is it will help define the work you need to do prior to October 2023.
Timeline of RPS deprecation
Timeframe | State of RPS protocol |
March 2023 | All current tenants can opt-out of RPS deprecation using the diagnostic, until September 2023 |
April 2023 | Tenants created on April 1st and newer will have RPS disabled by default, and can re-enable it (using diagnostic) until June 2023. After July 2023 onwards, new tenants thus created will not be able to re-enable RPS. |
May 2023 | We disable RPS for tenants (created before April) who never used RPS and have not asked for an extension. Re-enablement of RPS is possible using the diagnostic until September 2023. |
June 15, 2023
| We will start disabling RPS for tenants who have not opted-out or re-enabled RPS yet and have used it in the past. Re-enablement of RPS using the diagnostic is possible until September 2023 (unless tenant was created after April 2023). |
July 2023 | Tenants created after July 1st will have RPS disabled permanently. Diagnostics cannot re-enable RPS for those tenants. Tenants created from July 1st onwards must use Exchange Online PowerShell v3 module using Connect-ExchangeOnline without the UseRPSSession parameter. |
September 2023 | RPS opt-out / re-enablement diagnostic is retired. |
October 2023 | We start blocking RPS for all tenants, no matter the tenant creation date, size, or opt-out status. All tenants must use Exchange Online PowerShell v3 module using Connect-ExchangeOnline without the UseRPSSession parameter. |
Frequently Asked Questions
How do I know if my tenant is using RPS?
If you use the following, then you are using RPS:
- Exchange Online PowerShell connection using New-PSSession
- Exchange Online PowerShell v1 and v2 modules
- Any newer version of Exchange Online PowerShell module with the -UseRPSSession parameter
How can I get a longer exception? I still want to use RPS after September 2023.
We are not providing the ability to use RPS after September 2023. You should ensure your dependency on RPS in Exchange Online has been removed by that time. RPS will be turned off for everyone during October 2023, including tenants who have previously opted out using our self-service tool.
Summary
We are sure many of you will be happy that we are shutting down RPS in Exchange Online as it is an really good thing from a security perspective. We also know that many of our customers are not quite ready yet to move to the v3 module and still depend on RPS.
We hope that giving you an extension will give you sufficient time to move to the v3 module.
Exchange Online Manageability Team
Read full article (Microsoft Exchange Blog)
All content and images belong to their respected owners, this article is curated for informational purposes only.
