Block IMAP/POP3 in Office 365


1. Login your local computer and open Windows Powershell and run the below command. Select Y, to enable windows PowerShell to tun signed scripts.





Set-ExecutionPolicy RemoteSigned






2. Run the below command. In the Windows PowerShell Credential Request dialog box, type the Admin account and password in O365, and then click OK.





$UserCredential = Get-Credential









3. Run the below command.





$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection





4. Run the next command.





Import-PSSession $Session










5. Verify list of Mailboxes with SMTP/IMAP/POP enabled. By default they are enabled. Run the below command.





Get-CasMailbox









6. Run the following command to disable IMAP/POP/SMTP for all Mailboxes.





Get-CasMailbox | set-CasMailbox -ImapEnabled $false -PopEnabled $false -SmtpClientAuthenticationDisabled $true





Then Get-CasMailbox to verify









7. For any mailbox that your require IMAP/POP/SMTP enable you will need to run a separate command as below:





Set-CASMailbox -Identity printer@domain.onmicrosoft.com -ImapEnabled $false -PopEnabled $false -SmtpClientAuthenticationDisabled $false









The above example is enabling SMTP for the Mailbox of “printer@domain.onmicrosoft.com”. You will need to invert the command for the required protocol you would like to enable and replace the identity with the mailbox required.





8. As this is a per user/Mailbox setting you will require to run this again each time you create a new account/mailbox. Below is the command for setting this per mailbox:





Set-CASMailbox -Identity name@domain.com -ImapEnabled $false -PopEnabled $false -SmtpClientAuthenticationDisabled $true





9. If you want to Disable POP and IMAP upon mailbox creation you can run the below command. There is no equivalent option for SMTP Client Authentication so you will have to do it manually after mailbox creation.





Get-CASMailboxPlan | set-CASMailboxPlan -PopEnabled $false -ImapEnabled $false





10. Alternatively you can Enable Security Defaults in Azure. This blocks all legacy authentication protocols. For more information about Security Defaults, please check the Microsoft website.