Get-AuthenticationPolicy
This cmdlet is available in on-premises Exchange and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.
Use the Get-AuthenticationPolicy cmdlet to view authentication policies in your organization. For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.
Syntax
Get-AuthenticationPolicy
[[-Identity] <AuthPolicyIdParameter>]
[-AllowLegacyExchangeTokens]
[-TenantId <String>]
[<CommonParameters>] Description
You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.
Examples
Example 1
Get-AuthenticationPolicy | Format-Table -Auto NameThis example returns a summary list of all authentication policies.
Example 2
Get-AuthenticationPolicy -Identity "Engineering Group"This example returns detailed information for the authentication policy named Engineering Group.
Example 3
Get-AuthenticationPolicy -AllowLegacyExchangeTokensIn Exchange Online, this example specifies whether legacy Exchange tokens for Outlook add-ins are allowed in the organization.
Parameters
-AllowLegacyExchangeTokens
This parameter is available only in the cloud-based service.
The AllowLegacyExchangeTokens switch specifies whether legacy Exchange tokens are allowed for Outlook add-ins in your organization. You don't need to specify a value with this switch.
Legacy Exchange tokens include Exchange user identity and callback tokens.
Important:
- The AllowLegacyExchangeTokens switch returns
Not Setif tokens haven't been explicitly allowed or blocked in your organization using the AllowLegacyExchangeTokens or BlockLegacyExchangeTokens parameters on the Set-AuthenticationPolicy cmdlet. For more information, see Get the status of legacy Exchange Online tokens and add-ins that use them. - As of February 17 2025, legacy Exchange tokens are blocked by default in all cloud-based organizations. Although tokens are blocked by default, the AllowLegacyExchangeTokens switch still returns
Not Setif you haven't used the AllowLegacyExchangeTokens or BlockLegacyExchangeTokens parameters on the Set-AuthenticationPolicy cmdlet. For more information, see Nested app authentication and Outlook legacy tokens deprecation FAQ.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | True |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Exchange Online, Exchange Online Protection |
-Identity
The Identity parameter specifies the authentication policy you want to view. You can use any value that uniquely identifies the policy. For example:
- Name
- Distinguished name (DN)
- GUID
| Type: | AuthPolicyIdParameter |
| Position: | 0 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Exchange Server 2019, Exchange Online, Exchange Online Protection |
-TenantId
This parameter is available only in the cloud-based service.
{{ Fill TenantId Description }}
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Exchange Online, Exchange Online Protection |