Introduction #
Legacy email protocols such as POP and IMAP do not support modern authentication so brute force password spray attacks may succeed in breaching the tenants mailboxes.
To best protect from this, we recommend you disable insecure legacy email protocols for all existing mailboxes.
This setting should be set in conjunction with “Disable insecure legacy email protocols (eg SMTP, POP3, IMAP) – Default Setting for New Mailboxes“
Licensing Requirement #
Any Exchange Online plan
User Impact #
Medium
Users which were connecting to mailboxes using these legacy protocols will be blocked from doing so after this setting is configured. We recommend you identify if any users are authentication to these protocols by checking the for legacy authentication prior to enabling this setting. To do so:
- Navigate to the Azure portal > Azure Active Directory > Sign-ins.
- Add the Client App column if it is not shown by clicking on Columns > Client App.
- Add filters > Client App > select all of the legacy authentication protocols. Select outside the filtering dialog box to apply your selections and close the dialog box.
Admin Portal Reference #
- Sign into Exchange Admin Centre as and Admin and navigate to Recipients > Mailboxes.
- In the result pane, select the user for which you want to enable or disable POP3, and then click Edit.
- In the User Mailbox dialog box, in the console tree, click Mailbox Features.
- In the result pane, under Email Connectivity, do one of the following:
- To disable POP3 for the user, under POP3: Enabled, click Disable.
- To disable IMAP4 for the user, under IMAP4: Enabled, click Disable.
- Click Save
If Action is set to Notify #
We report the setting is compliant if the targeted mailbox has POP and IMAP protocols disabled.
We report the setting is non-compliant if the targeted mailbox has POP or IMAP protocols enable.
If Action is set to Enforce #
We report the setting is compliant if the targeted mailbox has POP and IMAP protocols disabled.
We report the setting is compliant-fixed if the targeted mailbox has POP or IMAP protocols enabled but were changed to disabled.