So, you have deployed Office 365, you’ve setup multi-factor authentication and deployed password managers so that your users can safely use MFA where it is supported but fall back to app passwords where it’s not. Great stuff… except by default you aren’t quite as secure as you would think!

Default Office365/Exchange Online Config

Now this is great for HTTP based communication methods. but email isn’t restricted to HTTP only. When we investigate the default deployment configuration we see that IMAP and POP3 are both enabled. The below screenshot shows the default mailbox feature configuration:

Now as we know, both IMAP and POP3 do not support a second or multi-factor authentication by default, so in the GUI you should disable those (unless you have a really specific business reason that means you MUST use these)

Solving your security troubles with PowerShell

If you use MFA (you do, don’t you? If not get that deployed!) then you will need to install the Exchange Online PowerShell modules locally. You will need to use Internet Explorer to download these from the ECP console (under hybrid mode):

Click CONFIGURE (on the Exchange Online PowerShell Module option)


Now we are in a PowerShell session locally.


Connect-EXOPSSession -ConnectionUri

Follow the on-screen authentication wizard

Now we are authenticated we can do some bulk user admin

Let’s check out our CLIENT ACCESS SERVER mailboxes:


This will drop a table with a list of mailboxes and their CAS feature states:

Now we can either set features on a specific mailbox as so:

Set-CASMailbox -Identity “Demo User” -MAPIEnabled $false

Or we can bulk change accounts (there are other ways of doing this using list etc.)

After running this, we can run Get-CASMailbox again to see the changes:

Now let’s get to it and disable the following:

  • IMAP
  • POP3

And voila, all our mailbox connectivity methods now support MFA!


It’s important to recognise the breadth and depth that secure configuration entails. Security is never a set and forget activity, todays good practises may be tomorrow’s attacker’s playground. Here we have shown a very quick way of disabling IMAP and POP3 access.

Leave a Reply