- You're using Active Directory Federation Services (AD FS) for POP and IMAP client access authentication.
- You have a claim rule to block access if the value of the X-MS-Client-Application claim type is not Microsoft.Exchange.PopImap.
Additionally, if you examine the AD FS access log, you may see entries that resemble the following:
[<Date><Time>] "POST /microsoftonline/ws-username HTTP/1.1" 403 ... "Microsoft.Exchange.Pop"
- Limiting access to Office 365 services based on the location of the client
- Configuring client access policies
Article ID: 3107357 - Last Review: Dec 30, 2016 - Revision: 1