Overview

An Exchange authentication policy can specify which protocols are available for allowing user to sign-in to access various services. To avoid brute password spray attacks that identify password validity by monitoring Exchange server response to sign-in attempts, many organizations are opting to disable legacy POP, IMAP, SMTP, etc protocol authentication methods. 

The process described in this article will allow you to assign an existing policy to a user in your Azure Active Directory domain.

Prerequisites

Prior to attempting this operation, you must have the following:

1. Installed Exchange Online PowerShell V2
2. Created authentication policy
3. Have access to an administrative account with sufficient privileges to modify user objects

Description

Replace [strings in brackets] with actual values for your organization

1. Run Exchange PowerShell V2
2. Sign in to the tenant with the following command:
   1. connect-exopssession -userprincipalname [adminaccount@company.onmicrosoft.com]
3. Verify user's current authentication policy
   1. get-user [alias@company.org] | ft name,authenticationpolicy
4. Set user's desired authentication policy (["authentication policy name"])
   1. set-user -identity [alias@company.org] -authenticationpolicy ["authentication policy name"]
5. Verify policy change took place:
   1. get-user [alias@company.org] | ft name,authenticationpolicy

Repeat steps 4-5 for each user, or pipe a list of users from a CSV.

Note that typical policy changes take effect within 24 hours. To make changes immediate, run the following script:

Set-User -Identity [alias@company.org] -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)

Reference

1. About the Exchange Online PowerShell V2 module | Microsoft Docs
2. Disable Basic authentication in Exchange Online | Microsoft Docs