Deprecation of Remote PowerShell in Exchange Online – Re-enabling or Extending RPS support
Published Mar 27 2023 08:18 AM 120K Views

Update 10/1/2023: As per the below Timeline of RPS deprecation, we have now entered the stage where all tenants in our WW cloud have RPS disabled by default and cannot re-enable it. All tenants from now on must use REST cmdlets with the Exchange Online PowerShell V3 module. All other cloud environments will also have RPS disabled throughout the month of October.

PowerShell (PS) cmdlets in Exchange Online use Remote PowerShell (RPS) for client to server communication. Unfortunately, RPS is legacy technology that is outdated and can pose security risks. As such, we now require that all customers move to the new more secure REST-based v3 PowerShell module, which will help us improve security – together.

  • In December 2022, we announced the deprecation of RPS in Exchange Online, and that RPS will be disabled for all customers starting in June 2023.
  • In March 2023, we announced that on April 1, 2023, we will start blocking RPS connections for all tenants created on or after April 1, 2023.

Update 5/3/2023: The detailed timeline (early disablement and opt-outs) in this blog post applies only to tenants in our World-Wide (WW) cloud. Final RPS disablement for customers in other Microsoft cloud environments as well as WW cloud is scheduled for October 2023. There will be no extension given to customers post September 2023 and RPS will be disabled for all tenants starting October 1st.

Previously, we released a self-service tool in the Microsoft 365 admin center and the Exchange admin center that admins could use to request an extension or re-enablement of RPS. We added this tool to help you minimize disruptions as you transitioned away from using RPS. We suggested to use the tool only if you really need to use RPS, and not just because you thought you might need to.

Update 10/1/2023: The RPS re-enablement and opt out tool that our customers could run by typing “Diag: Enable RPS in EXO” in the Help & Support section of the Microsoft 365 admin center has now been retired as we are turning off RPS for all tenants. If your tenant still had RPS enabled, please watch for announcement of RPS disablement in your Microsoft 365 Service Health Dashboard. Please note that our support teams do not have the ability to turn RPS back on for your tenant.

Timeline of RPS deprecation

Timeframe

State of RPS protocol

March 2023

All current WW tenants can opt-out of RPS deprecation using the diagnostic, until September 2023

April 2023

WW tenants created on April 1st and newer will have RPS disabled by default, and can re-enable it (using diagnostic) until June 2023. After July 2023 onwards, new tenants thus created will not be able to re-enable RPS.

May 2023

We disable RPS for WW tenants (created before April) who never used RPS and have not asked for an extension. Re-enablement of RPS is possible using the diagnostic until September 2023.

June 15, 2023

We will start disabling RPS for WW tenants who have not opted-out or re-enabled RPS yet and have used it in the past. Re-enablement of RPS using the diagnostic is possible until September 2023 (unless tenant was created after April 2023).

July 2023

WW tenants created after July 1st will have RPS disabled permanently. Diagnostics cannot re-enable RPS for those tenants.

Tenants created from July 1st onwards must use Exchange Online PowerShell v3 module using Connect-ExchangeOnline without the UseRPSSession parameter.

End of September 2023

RPS opt-out / re-enablement diagnostic for WW tenants is retired.

Start of October 2023

We start blocking RPS for all tenants, no matter the tenant creation date, size, or opt-out status or cloud environment (WW, GCC, etc.) they use.

All tenants must use Exchange Online PowerShell v3 module using Connect-ExchangeOnline without the UseRPSSession parameter.

Frequently Asked Questions

How do I know if my tenant is using RPS?
If you use the following, then you are using RPS:

  • Exchange Online PowerShell connection using New-PSSession
  • Exchange Online PowerShell v1 and v2 modules
  • Any newer version of Exchange Online PowerShell module with the -UseRPSSession parameter

How can I get a longer exception? I still want to use RPS after September 2023.
We are not providing the ability to use RPS after September 2023. You should ensure your dependency on RPS in Exchange Online has been removed by that time. RPS will be turned off for everyone during October 2023, including tenants who have previously opted out using our self-service tool.

Does the self-service tool mentioned in this blog post have any impact on deprecation of Remote PowerShell (RPS) Protocol in Security and Compliance PowerShell (Connect-IPPSSession)?
The self-service tool mentioned in this blog post has an impact only on deprecation of Remote PowerShell in Exchange Online and it will have no effect on RPS deprecation timeline of Connect-IPPSSession cmdlets. For those cmdlets, please see Deprecation of Remote PowerShell (RPS) Protocol in Security and Compliance PowerShell for more information.

We have a tenant that was created in (or after) July 2023. The self-serve diagnostic keeps telling us that RPS is disabled and we must use REST cmdlets only. How can we enable RPS on such tenants?
As per our Timeline of RPS deprecation above, any WW tenants created in or after July 2023 will have RPS disabled by default and will be unable to use RPS. You must use REST-based cmdlets for WW tenants created in July 2023 or later. Note that even raising a support ticket with Microsoft will not help - our support teams do not have a way to override this setting for tenants that fall into this category.

Summary

We are sure many of you will be happy that we are shutting down RPS in Exchange Online as it is an really good thing from a security perspective.

Exchange Online Manageability Team

51 Comments
Version history
Last update:
‎Nov 09 2023 11:10 AM
Updated by: