Starting\u00a0May 1<\/span>st<\/span>, 2026, legacy client authentication will be blocked for SharePoint Online and OneDrive for\u00a0Business, and\u00a0cannot be re-enabled.\u00a0Organizations should necessarily move to modern auth (using steps mentioned below) by 30<\/span>th<\/span>\u00a0April.\u00a0<\/span>\u00a0<\/span><\/p>\n To access telemetry please log into the Microsoft Purview portal. Typically, users with following roles\/permissions are allowed access to this portal.<\/p>\n Go to https:\/\/compliance.microsoft.com<\/a> or https:\/\/purview.microsoft.com<\/a> depending on your organization\u2019s configuration. Use your organizational account (not a personal Microsoft account).<\/p>\n Once logged in, please navigate to \u201cAudit\u201d on the left hand side panel. Then under \u201cActivities \u2013 operations name\u201d please select \u201cIDCRLSuccessSignIn\u201d as shown in screenshot 1. Select other filters as required and click on Search.<\/p>\n You will get telemetry output similar to screenshot 2 and 3 depending upon the information available.<\/p>\n Definition of IDCRL Calls: There are 2 categories of calls referred to as IDCRL calls<\/p>\n https:\/\/login.microsoftonline.com\/rst2.srf\u00a0(used to obtain the SAML BinarySecurityToken)\nhttps:\/\/TENANT.sharepoint.com\/_vti_bin\/idcrl.svc\u00a0(used to exchange the BinarySecurityToken for the SPOIDCRL cookie)<\/p>\n Users should consider moving to modern auth protocols by using Microsoft Authentication Library (MSAL) for OAuth as this will ensure safe and secure continuity for both Category 1 and Category 2<\/u><\/em> calls mentioned above. MSAL provides methods to acquire security tokens that can be used to authenticate apps and scripts.<\/p>\n For comprehensive technical guidance on migrating to modern authentication, please consult this resource: Using modern authentication with CSOM for .NET Standard<\/a>.<\/p>\n Additionally, your application must be registered in Microsoft Entra to acquire access tokens. For detailed steps on app registration, see: Configuring an application in Azure AD<\/a>.<\/p>\n For more details and context on MSAL and OAuth, please visit the following links:<\/p>\n <\/p>\n Alternative fix for category 1 calls (mentioned above):<\/strong> If your application or script leverages the “SharePointOnlineCredentials<\/em>\u201d\u202flibrary (from the Microsoft.SharePointOnline.CSOM NuGet package), we have released a NuGet package which will give the option of transitioning from IDCRL to Modern Authentication protocol. The upgraded nuget package is available from NuGet Gallery | Microsoft.SharePointOnline.CSOM<\/a>.<\/span><\/p>\n In some rare cases, calls are directly being made to GetAuthenticationCookie<\/em> method to acquire cookies; This method is getting deprecated in the newer version of the NuGet package and would be replaced by AcquireTokenAsync method which will acquire OAuth token.<\/p>\n Additionally, if you have enabled Multi Factor Authentication in your tenant, then you need to pass a fourth parameter with SharePointOnlineCredentials<\/em> constructor i.e (username, password, useModernAuth:true, interactiveAuth:true)<\/u><\/em><\/strong>. The fourth parameter i.e \u201ctrue<\/em>\u201d will allow for user intervention and enable interactive auth for the tenant.<\/p>\n In case admins don\u2019t want user intervention then they can use App Only Authentication while registering their app on Entra as mentioned above.<\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" In the next few months, Microsoft will be removing the legacy authentication protocol known as IDCRL (Identity Client Run Time Library) in SharePoint.<\/p>\n","protected":false},"author":69078,"featured_media":24888,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[166],"tags":[39,162],"class_list":["post-24883","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sharepoint","tag-authentication","tag-sharepoint"],"acf":[],"blog_post_summary":" In the next few months, Microsoft will be removing the legacy authentication protocol known as IDCRL (Identity Client Run Time Library) in SharePoint.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts\/24883","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/users\/69078"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/comments?post=24883"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts\/24883\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/media\/24888"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/media?parent=24883"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/categories?post=24883"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/tags?post=24883"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}How to access telemetry to check whether your organization has made any IDCRL Calls<\/strong><\/h2>\n
\n
![\"pic1](\"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-content\/uploads\/sites\/73\/2025\/10\/pic1-1.png\")
<\/a><\/p>\n![\"pic2](\"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-content\/uploads\/sites\/73\/2025\/10\/pic2-1.png\")
<\/a><\/p>\n![\"pic3](\"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-content\/uploads\/sites\/73\/2025\/10\/pic3.png\")
<\/a><\/p>\nHow to mitigate IDCRL calls and move to modern Authentication<\/h2>\n
\n
\n
\n