MC1169566: Exchange ActiveSync TLS 1.3 Certificate Based Authentication Change

As part of our ongoing security efforts, we have made a recent change to Certificate-Based Authentication (CBA) behavior for Exchange ActiveSync. The enhancement is designed to support TLS 1.3, strengthening security and reliability for our customers.

With this change all Exchange ActiveSync CBA traffic will be routed to new, dedicated endpoints based on tenant location

How this will affect your organization:

This change has already begun to roll out in the worldwide multi-tenant cloud and will start rolling out in other clouds starting November 2025. As a result of this change all Exchange ActiveSync CBA traffic will be routed to new, dedicated endpoints based on tenant location:

• Multi-tenant (Worldwide and GCC): outlook-cba.office365.com
• DoD: outlook-dod-cba.office365.us
• GCC-High: outlook-cba.office365.us

What you need to do to prepare:

For most Exchange ActiveSync clients, this change will be seamless. The client traffic will be implicitly redirected to the new CBA endpoints without any user action required.

However, if your organization uses a Secure Email Gateway (SEG) or similar gateway that filters or inspects ActiveSync traffic, you may need to update your firewall or gateway configuration to allow traffic to and from the new CBA endpoints listed above.

If you have questions or concerns on this change, please contact your SEG vendor. We appreciate your cooperation and commitment to maintaining a secure environment.

Learn more:

Upcoming TLS Changes for Certificate Based Auth ActiveSync Traffic. 

RFC 8446 - The Transport Layer Security (TLS) Protocol Version 1.3

Specified at [MS-ASHTTP]: Authorization | Microsoft Learn ActiveSync official documentation, EAS requests without authorization header will be treated as a CBA request.