Introduction #
Legacy email protocols POP and IMAP are prone to brute force password spray attacks which may succeed in breaching the tenant’s mailboxes.
To best protect from this, we recommend you disable legacy email protocols for all new mailboxes.
This setting should be set in conjunction with Disable SMTP Authentication for Exchange Online – Tenant Wide Setting
License Requirement #
Any Exchange Online plan
User Impact #
Low
New mailboxes will have POP and IMAP protocols disabled. Any attempts to connect to the mailbox using POP or IMAP protocols will be blocked from doing so.
Admin Portal Reference #
This setting is switched on via PowerShell. The following cmdlets are run on the tenant’s Exchange Online.
PowerShell Reference #
Get-CASMailboxPlan -Filter { ImapEnabled -eq "true" -or PopEnabled -eq "true" } | Set-CASMailboxPlan -ImapEnabled $false -PopEnabled $false
If Action is set to Notify #
We report the setting is compliant if all CASMailboxPlans (each Exchange Online SKU has it’s own plan) have their ImapEnabled and PopEnabled attribute set to $false.
We report the setting is non-compliant if any of the CASMailboxPlans (each Exchange Online SKU has it’s own plan) have their ImapEnabled and PopEnabled attribute set to $true.
If Action is set to Enforce #
We report the setting is compliant if all CASMailboxPlans (each Exchange Online SKU has it’s own plan) have their ImapEnabled and PopEnabled attribute set to $false.
We report the setting is compliant-fixed if any of the CASMailboxPlans (each Exchange Online SKU has it’s own plan) had their ImapEnabled and PopEnabled attribute set to $true and MSPMagic has updated them to $false.