Table of Contents
Removing Old and Potentially Insecure Legacy TLS Versions
As I’m sure you’ll well aware, Microsoft is on a crusade to eliminate old and potentially insecure protocols from Microsoft 365. The most notable campaign right now is to eliminate Exchange Web Services (EWS) by May 2027. Removing EWS is tricky because the protocol is used in many different places, including Microsoft’s own clients. However, good progress is being made, and it seems likely that the date will be met.
On April 27, the Exchange team announced another step forward with their intention to deprecate legacy TLS and endpoints for POP3 and IMAP4 in Exchange Online. Legacy TLS means versions 1.0 and 1.1. In January 2023, Microsoft gave customers an opt-in endpoint for support POP3 and IMAP4 with legacy TLS.
At the time, the idea was that tenants could keep things going while preparing to move forward with updated clients. Thirty-nine months later, time has run out because Microsoft now say that they will block legacy TLS connections for POP3 and IMAP4 starting in July 2026. There must be a lot of hope that tenants which haven’t upgraded their clients since January 2023 will now swing into action to be ready for the turn-off in two months’ time.
Devices and Applications
Like the deprecation of basic authentication for the SMTP AUTH client submission protocol (delayed until the second half of 2027), devices might be the sticking point. It is relatively easy to upgrade POP3 or IMAP4 clients to work well with Exchange Online. It is often harder to update the code running on hardware devices, especially for older devices or when the device vendor is unhelpful.
The same is true for applications. Ideally, applications should move away from the obsolete POP3 and IMAP4 protocols to embrace the Microsoft Graph APIs. I know that’s easy to say when source code for an application is available and someone understands that code. It’s a lot more challenging when all you have is an application to upgrade.
Application and device vendors may be able to confirm that their products support TLS 1.2, perhaps with a configuration change. If so, the July 2026 deadline shouldn’t be an issue.
Finding Who Uses POP3 or IMAP4
It’s useful to know which mailboxes are enabled for POP3 or IMAP4. This doesn’t mean that the mailbox owner uses a POP3 or IMAP4 client, but they can if they want to. When I ran the command below for my tenant, I found a bunch of utility mailboxes (like room and shared mailboxes) and relatively few user mailboxes:
-eq $true} -ResultSize Unlimited $Mailboxes | Select-Object DisplayName, PrimarySMTPAddress
The utility mailboxes might be used by applications. User mailboxes are more likely to be accessed by real POP3 or IMAP4 clients, and a list of user mailboxes enabled for either protocol is a good starting point to communicate to end users about the upcoming deprecation.
Check Email App Usage Data
Before you spin up a communications campaign, check the usage reports in the Microsoft 365 admin center to discover if any POP3 or IMAP4 connections are registered. My data is shown in Figure 1. As I expected, my tenant has no trace of POP3 or IMAP4 usage over the last 30 days.
The email client usage information displayed by the Microsoft 365 admin center is available through the Graph usage reports API. These commands fetch usage data for the last 180 days (usage reports lag real time by at least two days):
$Uri = "https://graph.microsoft.com/v1.0/reports/getEmailAppUsageUserDetail(period='D180')" Invoke-MgGraphRequest -Uri $Uri -Method Get -OutputType PsObject -OutputFilePath x.csv $Data = Import-Csv x.csv
An email apps usage record looks like this (the personal data will be obfuscated unless the setting to show real data is on):
Report Refresh Date : 2026-04-27 User Principal Name : Tony.Redmond@office365itpros.com Display Name : Tony Redmond Is Deleted : False Deleted Date : Last Activity Date : 2026-04-27 Mail For Mac : Outlook For Mac : Outlook For Windows : ProPlus Outlook For Mobile : Undetermined Other For Mobile : Outlook For Web : Undetermined POP3 App : IMAP4 App : SMTP App : Report Period : 180
To check for who’s using POP3 or IMAP4, filter the data to find where some value is present for the POP3 or IMAP4 properties:
$Data | Where-Object {(![string]::IsNullOrEmpty($_.'POP3 app'))} | Select-Object 'user principal name', 'POP3 App'
$Data | Where-Object {(![string]::IsNullOrEmpty($_.'IMAP4 app'))} | Select-Object 'user principal name', 'IMAP4 App'
If someone hasn’t used POP3 or IMAP4 over the last 180 days, you probably don’t need to worry about telling them that they need to check the TLS version used by their client. They’ll discover any lurking problems the next time they crank up a geriatric client using an antiquated protocol in an attempt to connect to a modern cloud email service.
Learn about managing Exchange Online and the rest of the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.
Looks like some of the code is missing from the “Finding Who Uses POP3 or IMAP4”.