Hello,
Yes, this is the expected behavior for accounts that are not already present on the Axigen side.
Only when the session is authenticated via an unsecured method, Axigen will have the opportunities to 1/ extract the password and 2/ to validate the password to the legacy email service from which the migration should be done.
Thus, we highly recommend to use only only SSL enforced listeners (for example only :993 for your IMAP service) and disable all secured methods, at least during the migration time.
HTH,
Ioan