An Exchange authentication policy can specify which protocols are available for allowing user to sign-in to access various services. To avoid brute password spray attacks that identify password validity by monitoring Exchange server response to sign-in attempts, many organizations are opting to disable legacy POP, IMAP, SMTP, etc protocol authentication methods. 

The process described in this article will allow you to assign an existing policy to a user in your Azure Active Directory domain.


Prior to attempting this operation, you must have the following:
  1. Installed Exchange Online PowerShell V2
  2. Created authentication policy
  3. Have access to an administrative account with sufficient privileges to modify user objects


Replace [strings in brackets] with actual values for your organization
  1. Run Exchange PowerShell V2
  2. Sign in to the tenant with the following command:
    1. connect-exopssession -userprincipalname []
  3. Verify user's current authentication policy
    1. get-user [] | ft name,authenticationpolicy
  4. Set user's desired authentication policy (["authentication policy name"])
    1. set-user -identity [] -authenticationpolicy ["authentication policy name"]
  5. Verify policy change took place:
    1. get-user [] | ft name,authenticationpolicy
Repeat steps 4-5 for each user, or pipe a list of users from a CSV.

Note that typical policy changes take effect within 24 hours. To make changes immediate, run the following script:

Set-User -Identity [] -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)


  1. About the Exchange Online PowerShell V2 module | Microsoft Docs
  2. Disable Basic authentication in Exchange Online | Microsoft Docs