Automatically Disable POP3 & IMAP in Office 365

?Office 365 automatically enables IMAP for Kiosk (Deskless) accounts, and both POP3 and IMAP for Enterprise accounts.  Mailbox protocols can be disabled using EMC connected to the O365 remote forest or through a remote PowerShell session.  However, this is a manual process that requires an administrator to configure each mailbox after it has been provisioned.  For on-premise Exchange, I’ve often used a scheduled task which automatically disables POP3 and/or IMAP protocols based on group membership.  So, I set out to duplicate this functionality for O365…

The script will first need to connect to O365:

$Credential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri “” -Credential $Credential -Authentication Basic –AllowRedirection

$ImportResults = Import-PSSession $Session

The groups which contain the users that should be enabled for POP3 and/or IMAP need to be identified.  A remote PowerShell session includes the Get-Group cmdlet.  But, this only seems to return mail-enabled groups and distribution lists.  In my case, the POP3 and IMAP groups are security groups synchronized to O365.  Therefore, I had to download and install the Microsoft Online Services Module for PowerShell which gave me access to Get-MSOLGroup cmdlet to query security groups.  In order to utilize the MSOL cmdlets, I must now import and connect the module from within the script:

Import-Module MSOnline

Connect-MSOLService -Credential $Credential

With the MSOL module loaded, I can now query the O365 security groups (in my case “POP3-Users” and “IMAP-Users”) whose members should be enabled for POP3 and/or IMAP access:

$PopGroup = Get-MSOLGroup -All | Where-Object {$_.DisplayName -eq “POP3-Users”}

$ImapGroup = Get-MSOLGroup -All | Where-Object {$_.DisplayName -eq “IMAP-Users”}

And from the groups, we can identify the individual members:

$EnablePOP = Get-MSOLGroupMember -GroupObjectId $PopGroup.ObjectId -All | Select-Object -ExpandProperty DisplayName

$EnableImap = Get-MSOLGroupMember -GroupObjectId $ImapGroup.ObjectId -All | Select-Object -ExpandProperty DisplayName

Finally, we will collect all the mailboxes currently provisioned in O365:

$Mailboxes = Get-Mailbox -ResultSize Unlimited

With all the variables defined, we will now increment through each of the mailboxes and determine if the account is a member of the POP3 or IMAP group.  If we find a match in either group, then the appropriate mailbox protocol(s) will be enabled.  Otherwise, both POP3 and IMAP will be disabled:

ForEach ($Mailbox in $Mailboxes) {
  If ($EnablePop -Contains $Mailbox) {
$Mailbox | Set-CASMailbox -PopEnabled $True }
Else {
$Mailbox | Set-CASMailbox -PopEnabled $False }
If ($EnableImap -Contains $Mailbox) {
$Mailbox | Set-CASMailbox -ImapEnabled $True }
Else {
$Mailbox | Set-CASMailbox -ImapEnabled $False }}

    As a best practice, we will disconnect from the remote session when the script is complete:

Remove-PSSession $Session

The functionality of the script is now complete and should work great by running it manually and entering O365 admin credentials when prompted.  However, I want the script to run automatically as a daily scheduled task without having to enter credentials.  Therefore, I must securely store my password so that I can call it into the script.  The following commands are not part of the final script and should be typed in a local PowerShell session while logged on to the computer as the user account which will run the scheduled task.  Only the account that creates the password file can decrypt the password file.  In my case, I’m logged on to the machine as Administrator and that will be the account used to run the scheduled task:

$Credential = Get-Credential

$Credential.Password | ConvertFrom-SecureString | Set-Content “c:\o365\remoteps.pwd”

I’ll modify the script to retrieve the stored password instead of prompting for credentials:

$Credential = Get-Credential

$Username = “

$Password = Get-Content c:\o365\remoteps.pwd | ConvertTo-SecureString

$Credential = New-Object System.Management.Automation.PSCredential($Username,$Password)

We should now be able to run the script manually with no authentication prompts.  So, let’s create a new scheduled task:

  1. From Administrative Tools, run Task Scheduler and select Create Task.
  2. On the General tab, type a friendly name and description for the task.
  3. Click Change User or Group button and specify the account under which the secure O365 password was created.
  4. Select “Run whether user is logged on or not” and enable “Run with highest privileges”.
  5. On the Triggers tab, click New and define a schedule for when the task will run.
  6. On the Actions tab, click New and type “powershell.exe” as the Program/Script name and add the following arguments:  -file “c:\o365\ScriptName.ps1”
  7. Save Scheduled Task

I have the script scheduled to run from the on-premise Exchange 2010 coexistence server.  However, it can be scheduled to run from any computer on which PowerShell and the MSOL module can be installed.  RjZ

Comments (7)

  1. V says:

    Password = Get-Content c:o365_scriptsremoteps.pwd | ConvertTo-SecureString Need to change this line to c:o365, the path is incorrect, as you save the pwd file in c:o365

  2. Brian Williams says:

    How could you use this script, excluding one specific user?

  3. Just Some Guy says:

    $Mailboxes = Get-Mailbox -ResultSize Unlimited | where {$_.alias -ne "alias-of-user-to-exclude"}

  4. Vamshi says:

    I want to disable POP/IMAP access only to the users in a distribution group when I tried this script it is trying to disable for all the users. Is there any way I can modify this script.

  5. joep says:

    Wil this also run for a tenant with 20K users?

  6. Jeremy Bradshaw says:

    You make my day:) <3