Exchange ActiveSync TLS 1.3 Certificate Based Authentication Change

Originally posted by Microsoft Oct 13, 2025 Uncategorized 0 Comments

Exchange ActiveSync Certificate-Based Authentication now supports TLS 1.3, routing traffic to new tenant-location-based endpoints. Most clients will redirect seamlessly, but organizations using Secure Email Gateways may need to update firewall settings. Rollout began globally, expanding to other clouds by November 2025.

As part of our ongoing security efforts, we have made a recent change to Certificate-Based Authentication (CBA) behavior for Exchange ActiveSync. The enhancement is designed to support TLS 1.3, strengthening security and reliability for our customers.

With this change all Exchange ActiveSync CBA traffic will be routed to new, dedicated endpoints based on tenant location

Specified at MS-ASHTTP: Authorization | Microsoft Learn ActiveSync official documentation, EAS requests without authorization header will be treated as a CBA request.  

Message ID: MC1169566

Comments are closed.

Joao Ferreira

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

%d bloggers like this: