Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server

For the powershell remediation. Do I change all non-admin user accounts using Get-User | Set-User or can it be just users with a mailbox? The instructions given at:

https://learn.microsoft.com/en-us/powershell/exchange/control-remote-powershell-access-to-exchange-servers?view=exchange-ps&viewFallbackFrom=exchange-ps%22%20%5Cl%20%22use-the-exchange-management-shell-to-enable-or-disable-remote-powershell-access-for-a-user

Have a couple suggestions like Get-Mailbox | Get-User but that will not get users that are in Exchange Online. I tested with an Exchange Online account and they are able to remotely connect to Exchange Power Shell. I also tested with a user that does not have a mailbox and they are able to connect like this:

 $Exchange2013PSSession = New-PSSession -Name ConnectToExchange2013 -ConfigurationName Microsoft.Exchange -ConnectionUri http://n060xcas01/Powershell/Powershell

import-module (Import-PSSession $Exchange2013PSSession -AllowClobber) -Global

They were able to connect but they could not run any commands. Is just connecting enough to leverage the vulnerabilities? 

Get-User -ResultSize Unlimited -Filter "(RecipientType -eq 'UserMailbox') is another suggestion with the same result

Should we use the Get-User command to get all the users?