Microsoft 365 Updates - July Updates

6 August 2025
bluesource
bluesource
Overview
feature image

As Microsoft continues to roll out hundreds of updates each month, keeping up with the latest changes can feel overwhelming. That’s where we come in. In this month’s M365 Update Series, Head of Managed Service, Salim Othman, dives into some of his top updates released in July 2025, that you should be aware of:

➡️ Microsoft 365 Upcoming Secure by Default Settings Changes

➡️ Microsoft Teams: Rule-based enablement of Microsoft 365 third-party apps in the Teams admin center

➡️ Microsoft Viva Engage | Email sender domain migration from @yammer.com to @engage.mail.microsoft 

Microsoft 365 Upcoming Secure by Default Settings Changes

https://admin.cloud.microsoft/?#/MessageCenter/:/messages/MC1097272

Summary

Microsoft 365 will update default settings to enhance security by blocking legacy authentication protocols and requiring admin consent for third-party app access. Changes start mid-July 2025 and complete by August 2025. Organizations should assess configurations, notify stakeholders, update documentation, and configure the Admin Consent workflow.

As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the “Secure by Default” principle, we are updating default settings in Microsoft 365 to help you meet the minimum security benchmark and harden your tenant’s security posture. These changes target legacy authentication protocols and app access permissions that may expose organizations to unnecessary risk.

This is the first step in a broader effort to evaluate and evolve Microsoft 365 defaults through the lens of security best practices.

When this will happen:

These changes will begin rolling out in mid-July 2025 and are expected to complete by August 2025.

How this affects your organization

The following settings will be updated:

Settings

Impact

Block legacy browser authentication to SharePoint and OneDrive using RPS (Relying Party Suite)

Legacy authentication protocols like RPS (Relying Party Suite) are vulnerable to brute-force and phishing attacks due to non-modern authentication. Blocking this prevents applications that are using outdated methods from accessing SharePoint and OneDrive via browser. To use PowerShell to block legacy browser authentication, see Set-SPOTenant.

Block FPRPC (FrontPage Remote Procedure Call) protocol for Office file opens

FrontPage Remote Procedure Call (FPRPC) is a legacy protocol used for remote web page authoring. While no longer widely used, Legacy protocols such as FPRPC can be more susceptible to compromise and blocking FPRPC helps reduce exposure to vulnerabilities. With this change, FPRPC will be blocked for opening files, preventing the use of this non-modern protocol in Microsoft 365 clients. To learn how to block the FPRPC protocol, see turn on web content filtering.

Require admin consent for third-party apps accessing files and sites

Users allowing third-party apps to access file and site content can lead to overexposure of an organization’s content. Requiring admins to consent to this access can help reduce overexposure. With this change, Microsoft managed App Consent Policies will be enabled, and users will be unable to consent to third party applications accessing their files and sites by default. Instead, they can request administrators to consent on their behalf. To configure admin consent, follow instructions here: Configuring the Admin Consent workflow. Customers who have already blocked user consent, turned on our previously recommended consent settings, or applied custom user consent settings will not be affected by this change.
Admins can also configure granular app access policies, such as limiting user access to the application for specific users or groups. Learn more here.

 

These changes are on by default and apply to all Microsoft 365 tenants. No additional licensing is required.

What you can do to prepare:

We recommend the following actions:

Assess current configurations: As applicable, identify current configurations for RPS or FPRPC protocols.

Notify stakeholders: Inform IT admins, app owners, and security teams about the upcoming changes.

Update documentation: Ensure internal guidance reflects the new defaults and admin consent process.

Configure Admin Consent workflow: If third party apps access is applicable for your organization, learn how to set up the workflow: Configuring admin consent workflow.

Additional considerations

  • Does the change alter how existing customer data is processed, stored, or accessed? Yes — it blocks access to content via legacy authentication protocols.
Microsoft Teams: Rule-based enablement of Microsoft 365 third-party apps in the Teams admin center

https://admin.microsoft.com/Adminportal/#/MessageCenter/:/messages/MC1085133

Summary

Microsoft Teams will enable admins to manage Microsoft 365 certified third-party apps via rule-based controls in org-wide settings, starting mid-September 2025. This feature, ON by default, allows bulk app availability management based on permissions and publishers, with a 30-day adjustment period after rollout.

Updated June 25, 2025: We have updated the timeline below. Thank you for your patience.

This feature will empower administrators to manage the availability of trusted Microsoft Teams apps based on rules, for enhanced security. Admins will be able to manage Microsoft 365 certified apps in the Teams admin center through a new control in Org-wide settings. You can further customize the availability of these apps based on permissions accessed and publisher names. The system automatically checks the Microsoft 365 certified apps that meet all the conditions you specify and makes those apps available. Note: This feature will be ON by default. 

This message is associated with Microsoft 365 Roadmap ID 485712.

When this will happen:

General Availability (Worldwide): We will begin rolling out mid-September 2025 (earlier mid-July 2025) and expect to complete by mid-October (earlier August 2025)

How this will affect your organization:

Before this rollout, you cannot manage at bulk the availability of Microsoft 365 certified apps. They are only controlled by third-party app tenant settings.

After this rollout, you can manage Microsoft 365 certified apps availability from org-wide settings in the Teams admin center at Manage apps > Actions > Org-wide app settings > Microsoft 365 certified apps. The All apps available option will be on by default after this rollout.

You can configure additional criteria from the Customize availability option:

What you need to do to prepare:

This rollout will happen automatically by the specified dates with no admin action required before the rollout. Review your current configuration to assess the impact on your organization. You may want to notify your users about this change and update any relevant documentation.

No action is required for the tenants who have turned on Org-wide app settings for third-party apps.

For tenants who have turned off Org-wide app settings for third-party apps, we recommend you review the NEW tenant settings described in this message. We will update this post with the final GA timeline closer to launch time. After the feature releases in your tenant, you will have 30 days to make changes to these settings before they start affecting the availability of Microsoft 365 certified apps. The 30-day delayed impact to availability of these apps is a one-time occurrence for this launch. After this 30-day period, the settings will have immediate impact, honoring the NEW tenant settings to manage the availability of these apps. 

Microsoft Viva Engage | Email sender domain migration from @yammer.com to @engage.mail.microsoft

https://admin.microsoft.com/Adminportal/#/MessageCenter/:/messages/MC1117814

Summary

Microsoft Viva Engage is updating its email sender domains from @yammer.com to @engage.mail.microsoft, starting late August 2025 with completion by October 2025. This includes tenant-specific prefixes for security. Admins should update any custom rules referencing the old domains; no compliance issues identified.

Updated July 28, 2025: We have updated the timeline. Thank you for your patience

Introduction

As part of the final phase of the Viva Engage rebranding, we’re updating the email sender domains used for Viva Engage communications. This change ensures a consistent and secure brand experience across all surfaces and completes the transition from Yammer to Viva Engage.

This update was previously communicated in MC679739, “Yammer Rebranding to Viva Engage Domain Migration Update,” in October 2023.

When this will happen

The email sender domain rollout will begin in late August 2025 for U.S. and EU tenants currently receiving messages from @yammer.com and @eu.yammer.com respectively. The entire rollout is expected to complete by the end of October 2025.

A fallback/coexistence period will be in place between August and the end of October, during which both the old and new domains will be supported. This will be managed via an internal experiment. During this time, some users within a tenant may receive emails from the old domain while others receive them from the new domain.

How this affects your organization:

  • The sender domain for Viva Engage emails will change as follows:
    • From @yammer.com to @engage.mail.microsoft for U.S. and global regions.
    • From @eu.yammer.com to @eu.engage.mail.microsoft for European regions.

These new domains are secured with industry-standard authentication protocols (e.g., SPF) to help prevent spoofing and ensure reliable delivery.

To enhance security and reduce cross-tenant spam, sender addresses will now include a tenant-specific prefix. You may see emails from:

  • noreply_tenant@engage.mail.microsoft (digests and delegate notifications)
  • notifications_tenant@engage.mail.microsoft (community, storyline, and activity notifications)
  • announcements_tenant@engage.mail.microsoft (leadership announcements)

These changes apply to all Viva Engage tenants, regardless of license tier (e.g., Viva P1, P2), and affect all Viva Engage emails, including notifications, announcements, and digests.

Third-party integrations (e.g., journaling, archiving, or routing systems) that rely on the @yammer.com domain for classification or authentication may be impacted. Any such configurations should be reviewed and updated to recognize the new domains.

An example of a new Viva Engage email notification sent from the updated @engage.mail.microsoft domain:

What you need to do to prepare

Admins should review and update the following configurations:

  • Transport rules and email gateways: Update any rules that reference @yammer.com to include the new domains.
  • Exchange filtering: Ensure filtering rules remain effective with the new sender domains.
  • Outlook rules: Inform users that any rules based on @yammer.com will no longer apply. Users can manually update or remove these rules.
  • No admin action is required unless your organization has custom configurations based on the old domain.

Learn more: Yammer is evolving to Viva Engage | Viva Engage Blog

Compliance considerations

No compliance considerations identified, review as appropriate for your organi 
Discover more about our Advanced Support

Most popular

featured-image-popular
Microsoft 365 Updates – January Picks
Welcome to our brand-new series on Microsoft 365 updates! Each month, we’ll bring you the latest...
featured-image-popular
Microsoft 365 Updates - February Picks
As Microsoft continues to roll out hundreds of updates each month, keeping up with the latest...
featured-image-popular
Microsoft 365 Updates - March Picks
As Microsoft continues to roll out hundreds of updates each month, keeping up with the latest...
Previous
All blog posts
Next

Expertise in your inbox

Your fast track to the must-know tech news. Stay up to date without trawling the web.