In September and October, 2025, Microsoft is making major changes across Azure, Exchange Online, and Windows.
This isn’t just another routine update—seven key services and features are being retired or significantly changed, and the impact will be felt across your cloud infrastructure, virtual networking, email delivery, and endpoint security.
To make it easier to prioritize and plan, we’ve categorized the changes into three critical buckets:
- Retiring Capabilities: Migrate or Lose Functionality
- Changes That Will Break Things: Fix misconfigurations before they cause outages
- End of Support: Upgrade to avoid compliance and security risks
Read on to understand what’s changing, what they mean for your environment, and how to prepare before the deadlines.
Retiring Capabilities: Migrate or Lose Functionality
Default Outbound Internet Access Is Retiring: Explicit Configuration Required
Effective September 30, 2025, Microsoft will retire default outbound internet access for new Azure virtual machines (VMs). Previously, VMs without explicit outbound configurations were permitted to access the Internet with a shared and dynamic public IP address for internet connectivity.
Post-retirement, all new VMs will require explicit outbound connectivity methods, such as Azure NAT Gateway, load balancer outbound rules, or directly assigned public IP addresses.
While existing VMs using default outbound access will continue to function, Microsoft and ProArch strongly recommend transitioning to explicit outbound methods to enhance security and control. Future changes or a disaster recovery scenario may be complicated if you continue to rely on the retired default outbound internet access.
What to do:
- Identify if your environment has an explicit form of outbound Internet access. If none is present, assume you are relying on this soon to be retired method.
- Develop a strategy to implement explicit outbound connectivity methods such as Azure NAT Gateway or third-party firewalls (e.g., Barracuda).
- Test configurations to ensure uninterrupted internet access.
Changes That Break Things: Address These Risks Now
Basic Public IPs Are Going Away: Upgrade to Avoid Outages
Microsoft is retiring Basic public IP addresses in Azure on September 30, 2025. After this date, any resources using Basic IPs—like VMs, load balancers, and network gateways—will stop working.
What to do:
- Identify resources using Basic public IPs, especially dynamic basic public IPs.
- Plan to upgrade to Standard public IPs, which offer better security and availability.
- Be aware of a small cost increase and potential downtime during the switch.
- Microsoft provides migration tools and guidance—don’t wait until the deadline.
Virtual Network Gateways at Risk: Basic Public IP Retirement Could Break Connectivity
Microsoft is retiring Basic SKU public IP addresses by September 30, 2025, which directly affects Virtual Network Gateways (VNGs) that use them.
This is one of the most urgent Azure changes in 2025. It could result in complete loss of connectivity between Azure and on-premises networks.
What to do:
- Locate all VNGs using Basic public IPs.
- Review Microsoft’s step-by-step migration guide to transition to Standard SKU public IPs.
- Ensure your gateway subnet is at least /27 and has three available IP addresses before initiating migration.
- Schedule a planned maintenance window for the migration.
Azure Basic Load Balancers Are Being Phased Out: Move to Standard for Improved Performance
Microsoft will retire Basic Load Balancers on September 30, 2025. After this date, existing Basic Load Balancers will no longer function, and new deployments will be blocked starting March 31, 2025.
This change affects various web applications but also can impact legacy Remote Desktop Services and firewall configurations that utilize Basic Load Balancers.
What to do:
- Locate all Basic Load Balancers in your environment.
- Develop a strategy to transition to Standard Load Balancers, which offer enhanced features such as zone redundancy, improved diagnostics, and higher availability. If you utilize Remote Desktop Services with basic load balancers, consider moving to Azure Virtual Desktop and let Microsoft take care of your load balancers with that service.
- If a migration is necessary, estimate costs as Standard Load Balancers will cost more than you are paying currently for the mostly free basic tier.
- Utilize Microsoft’s PowerShell scripts to automate the basic load balancer upgrade process.
- After migration, test your applications to confirm they are receiving traffic through the new Standard Load Balancer.
Unmanaged Disks Will No Longer Be Supported: Migrate to Managed Disks for Better Scalability
Microsoft is retiring unmanaged disks in Azure on September 30, 2025. After this date, VMs with such disks will be stopped and will not be able to be restarted without being migrated.
Managed disks offer improved scalability, reliability, and ease of management by eliminating the need to manage storage accounts.
What to do:
- Locate all virtual machines (VMs) using unmanaged disks.
- Develop a strategy to migrate Azure VMs to managed disks in Azure, which provide standardized sizes and performance tiers. The migration process requires downtime, typically a few minutes, and it’s recommended to perform a full backup before proceeding.
- Use the Azure portal or command-line tools to migrate. The process involves stopping the VM, converting the disks, and restarting the VM. Detailed guidance is available for Windows and Linux
- After migration, verify that the VM is operating correctly, and that all data is intact.
Authenticated SMTP Is Ending: Reconfigure Devices for Secure Email Delivery
Basic Authentication for SMTP AUTH in Exchange Online is retiring in September 2025, impacting devices like printers, scanners, and legacy applications that use this method for sending emails (e.g., scan-to-email).
Legacy SMTP AUTH lacks support for Multi-Factor Authentication (MFA), making it a target for attackers. This move aims to enhance security by eliminating protocols that don’t support modern authentication methods.
What to do:
- Audit your environment to find devices and applications using Basic Authentication for SMTP AUTH.
- Determine the best approach for each identified device or application.
- Consider Microsoft’s alternative services:
- For mail sent to internal users, High Volume Email (HVE) for Microsoft 365 provides a short-term way to use basic authentication if no other feasible solution exists.
- For mail sent to external users, Azure Communication Services is a robust product if your applications or devices could use it.
- NOTE that Windows Server’s SMTP relay role was removed from Windows Server 2025 and is no longer a viable option. A non-Microsoft SMTP server could be used in its place.
- Reconfigure devices and applications to use modern authentication methods or alternative solutions well before the September 2025 deadline to avoid service disruptions.
End of Support: Upgrade or Extend
Windows 10 Support Ends: Upgrade or Plan for Extended Security Updates
Microsoft will officially end support for Windows 10 on October 14, 2025, meaning no more security updates, bug fixes, or technical assistance for most users. This affects all editions.
What to do:
- Use the PC Health Check app to determine if your device can run Windows 11. If your PC meets the hardware requirements, you can upgrade to Windows 11 for free. ProArch, a top Microsoft Partner, recommends upgrading your hardware if you do not meet the hardware requirements for optimal security.
- Decide whether to upgrade to Windows 11 or enroll in the Extended Security Updates (ESU) program where you can purchase updates on an annual basis until 2028.
- If opting for ESU, factor in the annual costs. For hardware upgrades, plan for the investment in new devices that meet Windows 11 requirements.
- Regularly check Microsoft’s official channels for updates and detailed guidance on transitioning from Windows 10.
Preparing for these Microsoft changes ahead of time will save your team from last-minute scrambles, avoid potential service disruptions, and strengthen your overall cloud security and performance.
While each change comes with its own challenges, the good news is you don’t have to tackle them alone.
As a top Microsoft Partner, ProArch can guide your organization through every step—from assessment and planning to migration and optimization—ensuring you’re fully ready before the 2025 deadlines hit. Contact ProArch.