POP/IMAP client authenticate fails if X-MS-Client-Application in the AD FS claim rule is set to Microsoft.Exchange.PopImap
Original KB number: 3107357
Symptoms
Consider the following scenario:
- You're using Active Directory Federation Services (AD FS) for POP and IMAP client access authentication.
- You have a claim rule to block access if the value of the X-MS-Client-Application claim type is not Microsoft.Exchange.PopImap.
These settings had previously worked as expected. However, you noticed recently that POP and IMAP clients fail to authenticate even though the correct user name and password is used.
Additionally, if you examine the AD FS access log, you may see entries that resemble the following:
[<Date><Time>] "POST /microsoftonline/ws-username HTTP/1.1" 403 ... "Microsoft.Exchange.Imap"
[<Date><Time>] "POST /microsoftonline/ws-username HTTP/1.1" 403 ... "Microsoft.Exchange.Pop"
Cause
A change was made recently in the service to separate POP and IMAP authentication. Instead of Microsoft.Exchange.PopImap, the value that's sent in the X-MS-Client-Application header is Microsoft.Exchange.Imap or Microsoft.Exchange.Pop.
Resolution
In the existing claim rule, change the value of X-MS-Client-Application from Microsoft.Exchange.PopImap to Microsoft.Exchange.Imap and Microsoft.Exchange.Pop.
More information
For more information, see the following resources:
- Limiting access to Microsoft 365 services based on the location of the client
- Configuring client access policies
Still need help? Go to Microsoft Community or the Microsoft Q&A.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for