For the steps to follow I can recommend this guide from Practice Protect and this one from Microsoft.
There is some confusion about the way that these commands are implemented, with inconsistent behaviour noted, so it’s sensible to follow all of the advice even when it seems redundant.
Example: The documentation says to run these commands:
(to find the name of the existing authentication policy).
Replace <AuthenticationPolicyName> with the value from the previous step, and then run the following command:Set-AuthenticationPolicy -Identity "<AuthenticationPolicyName>" -AllowBasicAuthReportingWebServices:$false -AllowBasicAuthOutlookService:$false
The previous command affects new mailboxes that you’ll create, but not existing mailboxes. To apply the policy to existing mailboxes, use the <AuthenticationPolicyName> value…
Testing reveals that on an IMAP connection to a mailbox this setting sometimes blocks existing accounts and sometimes it doesn’t. Other Universities’ IT Staff have reported a similar outcome: testing with Thunderbird occasionally permitting mailbox access after multiple connection attempts. In other words these settings variably affect existing accounts, contrary to the guidance.
The sensible solution seems to be to disregard any odd outcomes you may observe during testing and simply follow the published guidance as if no anomalous behaviour was noted: set a DefaultAuthenticationPolicy at the organisation level and set an AuthenticationPolicy on every user.
Thanks to SysAdmins at UEA and University of Dundee for their observations on the Jiscmail mailing list which contributed to this post.