Microsoft announced on May 8, 2026, that it will retire direct certificate-based authentication for Exchange ActiveSync (EAS) in Exchange Online by the end of 2026. The decision forces organizations still relying on client certificates for mobile email access to adopt Entra ID certificate-based authentication, a modern and more secure approach integrated with Conditional Access policies.

This change, communicated via the Microsoft 365 admin center, affects any mobile device using EAS with certificate authentication directly against Exchange Online. After the deadline, such connections will fail, disrupting email flow for users unless administrators take proactive steps.

What’s Changing

Exchange ActiveSync has long supported certificate-based authentication as a legacy method for mobile devices. In this setup, a device presents an X.509 client certificate to the Exchange server, which validates it against a trusted certificate authority—bypassing modern identity flows. This direct trust model operates outside of Entra ID’s authentication framework, limiting visibility and control.

Microsoft is now removing this capability entirely from Exchange Online. The deprecation means that after the end of 2026, EAS clients can no longer authenticate by presenting a certificate directly to Exchange Online. Instead, every authentication request must flow through Entra ID, where the certificate is validated and a token issued. The change aligns EAS with other Exchange Online protocols, which already require modern authentication.

Why Microsoft Is Killing Direct EAS Cert Auth

The retirement is part of Microsoft’s broader push to eliminate legacy authentication mechanisms that lack integration with Azure AD/Entra ID’s security features. Direct certificate authentication for EAS has several limitations:

  • No support for Conditional Access policies. Organizations cannot enforce multi-factor authentication (MFA), device compliance checks, or location-based restrictions.
  • Limited logging and risk detection. Entra ID Identity Protection cannot evaluate sign-in risk because the authentication happens outside its pipeline.
  • Challenges in certificate lifecycle management. Revoking a certificate often requires manual intervention on both the Exchange side and the device, increasing administrative overhead.
  • Vulnerabilities to token replay and other attacks, since modern authentication protocols like OAuth 2.0 include protection mechanisms absent from basic certificate exchange.

By moving certificate validation to Entra ID, Microsoft enables unified policy enforcement, richer audit trails, and the ability to combine certificate-based authentication with other authentication strengths. This shift parallels the industry-wide move away from legacy authentication, which Microsoft began accelerating with the deprecation of basic authentication in Exchange Online in 2022.

Impact: Who Needs to Act

Organizations most affected are those that configured mobile devices—especially in bring-your-own-device (BYOD) or managed scenarios—to use client certificates for EAS without involving Entra ID. Typically, this occurs when:

  • A device management solution pushes a certificate to the device and configures the native mail app to use it for Exchange Online.
  • Third-party email apps still rely on EAS with certificate auth instead of Microsoft’s modern authentication SDK.
  • On-premises hybrid environments where certificates are issued by internal PKI and trusted directly by Exchange Online.

After the deadline, users with such configurations will see connection errors. The native iOS Mail app, Samsung Email, and some older Android mail clients are common examples. Microsoft notes that Outlook for iOS and Android already uses modern authentication and is unaffected.

The Path Forward: Entra ID Certificate-Based Authentication

Entra ID certificate-based authentication (CBA) allows organizations to issue X.509 certificates to users or devices and use them as a primary or secondary factor during Entra ID sign-in. The certificate is validated by Entra ID, which then issues a token that the client presents to Exchange Online. This flow is fully compatible with Conditional Access, Privileged Identity Management, and Identity Protection.

Key advantages:

  • Unified policy enforcement across all apps and protocols.
  • Ability to combine certificate auth with MFA, passwordless methods, or device compliance checks.
  • Centralized certificate revocation through Entra ID, which immediately blocks access across all services.
  • Detailed sign-in logs in Entra ID, enabling advanced threat detection.

Migration Steps

To prepare for the shutdown, IT administrators should:

  1. Inventory current EAS certificate usage: Use Exchange Admin Center logs or queries to identify active devices using certificate authentication. Check for devices that haven’t upgraded to modern authentication.
  2. Set up Entra ID CBA: Configure certificate authorities in Entra ID, define authentication methods policy, and upload public certificates. Microsoft documentation provides step-by-step guidance.
  3. Update MDM profiles: Modify device configuration profiles to remove direct EAS cert auth and instead deploy a user or device certificate that enrolls with Entra ID. For iOS, this typically involves a VPN and Wi-Fi payload change; for Android, a certificate installation and account configuration.
  4. Test with a pilot group: Deploy the new setup to a small subset of users, verify mail flow and Conditional Access policy effectiveness.
  5. Communicate to end users: Notify users that a device configuration update is required. Some may need to re-enroll their device or re-add their email account.
  6. Monitor and enforce: Use Conditional Access to block legacy EAS certificate connections before the deadline to identify any stray devices.

Timeline and Urgency

Microsoft set an aggressive timeline: announcement on May 8, 2026, with deprecation by the end of 2026—effectively giving organizations seven to eight months. Historically, Microsoft provides at least 12 months for major authentication changes, but the shorter window here suggests the company considers the transition straightforward for most tenants already using modern authentication for other protocols.

For hybrid organizations, the urgency is amplified. Exchange on-premises servers may still use direct certificate auth for cross-premises coexistence. Administrators must ensure all authentication paths are updated in tandem to avoid service interruptions.

What Happens If You Miss the Deadline

After the retirement date, EAS clients attempting to authenticate with a certificate directly to Exchange Online will receive an authentication error. The only supported method will be token-based access via Entra ID. There is no official workaround or extension mechanism; Microsoft’s message center post emphasized that there will be no exceptions. Affected users will lose email access on their mobile devices until their configuration is corrected.

Organizations that rely heavily on legacy mobile mail clients may face business disruption. Proactive migration is not optional—it’s a hard cutoff.

The Bigger Picture: Passwordless and Phishing Resistance

The push to Entra ID CBA aligns with Microsoft’s vision of a passwordless, phishing-resistant authentication environment. Certificates, especially when stored in hardware-backed keystores, provide strong authentication that resists credential theft. Combined with policies like MFA or device compliance, organizations gain a robust security posture that meets modern compliance requirements.

This change also nudges organizations still running legacy mobile applications toward modern clients like Outlook Mobile, which offer better integration with Microsoft 365 and support additional features like sensitivity labels and data protection.

Take Action Now

The clock is ticking. IT teams should immediately begin assessing their EAS footprint and planning the migration to Entra ID certificate-based authentication. Microsoft provides detailed documentation and Graph APIs to aid the discovery process. For complex environments, engaging with Microsoft FastTrack or a certified partner can accelerate the transition.

Ignoring this announcement risks a sudden loss of mobile email access for a significant portion of the workforce—a scenario no IT administrator wants to manage during year-end holidays.