How to Create Retention Labels, Disable POP/IMAP, and Set Password Expiration Policies in Microsoft 365

By /
Modern Methods for Retention Labels, POP/IMAP Blocking, and Password Policy in Microsoft 365

Microsoft 365 has evolved a lot in how organizations manage data retention, authentication, and password policies. Features that once required multiple portals or PowerShell scripts can now be managed more efficiently through Microsoft Purview, Entra ID, and the Microsoft 365 Admin Center.
Here’s a practical look at how to handle three key areas today using modern tools and best practices.

1. Create and Publish Retention Labels in Microsoft Purview

Retention labels help enforce compliance by automatically keeping or deleting content after a specific time. The modern Microsoft Purview portal offers a cleaner, more automated experience for managing retention across Exchange, SharePoint, OneDrive, and Teams.

What’s New

  • Unified Purview Portal: Labels are now managed under Solutions → Data Lifecycle Management → Retention labels.
  • Adaptive Scopes: You can target users, groups, or sites dynamically without manual selection.
  • Event-Based Retention: Start retention when a business event (like project closure) occurs.
  • Automation via Power Automate: Labels can now trigger flows when retention ends, supporting custom approval or archival workflows.

Steps to Create and Publish a Retention Label

  1. Sign in: Go to Microsoft Purview as a Compliance or Records Administrator.
  2. Create Label:
    • Navigate to Data Lifecycle Management → Retention Labels → Create label.
    • Add a name, description, and define what to do after the retention period: retain, delete, or review.
    • Set the duration and trigger point (e.g., creation date, last modified, or event trigger).
  3. Publish the Label:
    • Go to Label policies → Publish labels.
    • Choose labels to include and select Static or Adaptive scope.
    • Define where to apply (Exchange, SharePoint, OneDrive, Teams).
    • Save and publish.
  4. Validation:
    • Verify labels appear in Outlook, SharePoint, or Teams.
    • Check Compliance reports to confirm retention is applied correctly.

Best Practices

  • Use descriptive, compliance-friendly label names (e.g., Finance 7-Year Retention).
  • Prefer Adaptive scopes for scalability.
  • Use Power Automate to handle special review or notification processes.
  • Review retention settings annually as policies evolve.

Example:
A finance department must retain emails for seven years. You create a “Finance 7-Year Retention” label and publish it via an adaptive policy targeting finance mailboxes. After seven years, messages are automatically deleted, meeting compliance rules.

2. Disable Legacy POP and IMAP Access in Exchange Online

Legacy authentication protocols like POP and IMAP are no longer secure. Microsoft has disabled Basic Authentication for these protocols, but admins should verify that modern authentication (OAuth 2.0) is enforced and legacy access is fully blocked.

What’s New

  • Basic Authentication is deprecated — cannot be re-enabled.
  • Conditional Access now allows blocking legacy clients via Entra ID policies.
  • Modern Authentication is the default for Outlook and OWA connections.

How to Block Legacy Protocols

Option 1: Use Conditional Access (Recommended)

  1. Sign in to the Entra ID PortalSecurity → Conditional Access.
  2. Create a New policy.
  3. Under Assignments, choose Users and groupsAll users (or specific).
  4. Under Cloud apps or actions, choose All cloud apps.
  5. Under Conditions → Client apps, select Other clients (legacy).
  6. Under Access controls → Grant, choose Block access.
  7. Save and enable the policy.

Option 2: Verify via Exchange PowerShell

Connect-ExchangeOnline

# Check mailbox protocol status
Get-CASMailbox -ResultSize Unlimited | Select Name,PopEnabled,ImapEnabled

# Disable if needed
Get-CASMailbox -ResultSize Unlimited | Set-CASMailbox -PopEnabled $false -ImapEnabled $false

Validation

  • Attempt POP/IMAP connection—it should fail.
  • Confirm Outlook and OWA still function normally using Modern Auth.
  • Review Entra sign-in logs for blocked legacy authentication attempts.

Best Practices

  • Block all legacy authentication methods, not just POP/IMAP.
  • Combine with MFA and Conditional Access.
  • Monitor sign-in logs regularly for old clients.
  • Communicate changes to end users before enforcement.

Example:
An organization found users connecting through outdated email apps. After deploying a Conditional Access policy to block legacy authentication, only Outlook and OWA connections remained active — both protected by MFA and Intune compliance rules.

3. Modern Password Expiration Policies in Microsoft 365

Password expiration used to be a cornerstone of account security. Microsoft’s updated security model now recommends eliminating forced password resets in favor of strong multi-factor authentication (MFA) and password protection features.

What’s New

  • Microsoft no longer recommends periodic password expiration.
  • Modern security controls like risk-based Conditional Access, MFA, and password protection provide stronger defense.
  • Admins can still enable expiration if needed for compliance or hybrid environments.

Configure via Microsoft 365 Admin Center

  1. Sign in to Microsoft 365 Admin Center.
  2. Go to Settings → Org settings → Security & privacy → Password expiration policy.
  3. Choose either:
    • Set passwords to expire after a specific number of days (e.g., 90).
    • Or uncheck the box to set passwords to never expire.
  4. Save the configuration.

Optional PowerShell Configuration

Connect-MsolService

# Enable password expiration
Set-MsolUser -UserPrincipalName user1@contoso.com -PasswordNeverExpires $false

# Organization-wide password policy
Set-MsolPasswordPolicy -ValidityPeriod 90 -NotificationDays 14 -DomainName contoso.com

Best Practices

  • Instead of password expiration, use:
    • MFA to protect all accounts.
    • Conditional Access to assess sign-in risk.
    • Password protection policies to block weak passwords.
  • Document your approach — if passwords never expire, justify with compensating controls like MFA and device compliance.

Example:
A company enables MFA and Conditional Access for all users and disables password expiration. They reduce support tickets for forgotten passwords while maintaining strong protection through modern authentication.

Final Thoughts

Microsoft’s modern management approach simplifies security and compliance across Microsoft 365:

  • Retention Labels are smarter, adaptive, and automation-friendly.
  • POP/IMAP Blocking enforces secure authentication methods by default.
  • Password Policy now focuses on MFA and conditional access rather than frequent resets.

Adopting these updated methods helps keep your organization compliant, secure, and aligned with Microsoft’s zero-trust model.

Tags: Microsoft 365, Microsoft Purview, Retention Labels, POP IMAP, Conditional Access, Password Expiration, MFA, Security, Compliance, Entra ID, Intune, Modern Authentication

LinkedInCopyPinterestRedditTelegram

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by
Scroll to Top