How to set up Exchange Online modern authentication

It is highly recommended to use the Exchange Online PowerShell V2 module to connect to Exchange Online PowerShell to perform these types of modifications.

The following example creates an authentication policy named “Test Group” that blocks legacy authentication methods for multiple protocols — this forces any users with this policy to sign in with modern authentication across the numerous Microsoft 365 services:

New-AuthenticationPolicy -Name "Test Group" -BlockLegacyAuthActiveSync -BlockLegacyAuthAutodiscover -BlockLegacyAuthImap -BlockLegacyAuthMapi -BlockLegacyAuthOfflineAddressBook -BlockLegacyAuthPop -BlockLegacyAuthRpc -BlockLegacyAuthWebServices

To assign the authentication policy to a specific user, run the following command:

Set-User -Identity [email protected] -AuthenicationPolicy "Test Group"

If tenant administrators decide to make a specific policy the default for the entire organization, then they can execute the following command:

Set-OrganizationConfig -DefaultAuthenticationPolicy "Test Group"

There is a delay of 24 hours when the administrator applies a new or updated policy on users. This is a default setting in Exchange Online. To make the policy apply immediately, run the following command:

Set-User -Identity [email protected] -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)

To keep track of the authentication policies in the tenant, run the following command:

Get-AuthenticationPolicy | Format-Table Name -Auto

For in-depth information for a policy, use the name of the policy with the example from the following PowerShell command:

Get-AuthenticationPolicy -Identity "Test Group"