locked
Protect Ex2016 OWA with Azure MFA, with ADFS federation (2016) RRS feed

  • Question

  • Hi,

    We have Exchange 2016 on-prem and would like to protect owa and ecp with Azure MFA (without using the on-prem MFA server).

    We have an ADFS server (2016) and the users have a federated identity.

    What steps do I need to take to enable MFA for Use with OWA and ECP?

    I found an article that looks like a good start: http://msexchangeguru.com/2017/01/16/secure-owa-ecp-with-mfa/

    Only this is based on ADFS 2012R2 and Exchange 2013. Perhaps methods for ADFS 2016 and Ex2016 have changed / evolved in any way?

    Pls. some advice to accomplish this with ADFS 2016 and Ex 2016, or are the steps from the article still valid and best-practice?

    Thanks.


    • Edited by Marzzie Thursday, December 6, 2018 1:23 PM
    Thursday, December 6, 2018 1:20 PM

Answers

  • Here is link to get it done. It is applicable for Exchange 2016 and Exchange 2019.

    However method which is described on msexchangeguru.com site is still valid for Exchange 2016.

    https://docs.microsoft.com/en-us/Exchange/clients/outlook-on-the-web/ad-fs-claims-based-auth?view=exchserver-2019

    Thanks,

    Ashish

    Thursday, December 6, 2018 2:19 PM
  • Here is link to get it done. It is applicable for Exchange 2016 and Exchange 2019.

    However method which is described on msexchangeguru.com site is still valid for Exchange 2016.

    https://docs.microsoft.com/en-us/Exchange/clients/outlook-on-the-web/ad-fs-claims-based-auth?view=exchserver-2019

    Thanks,

    Ashish

    Another option is publishing OWA/ECP using Azure AD App Proxy, then we could use cloud-based MFA with Azure AD

    Similar link for reference: MFA on premises Exchange 2016.

    Regards,

    Manu Meng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Proposed as answer by Manu Meng Monday, December 10, 2018 10:06 AM
    • Marked as answer by Marzzie Tuesday, December 11, 2018 9:45 AM
    Friday, December 7, 2018 8:10 AM

All replies

  • Here is link to get it done. It is applicable for Exchange 2016 and Exchange 2019.

    However method which is described on msexchangeguru.com site is still valid for Exchange 2016.

    https://docs.microsoft.com/en-us/Exchange/clients/outlook-on-the-web/ad-fs-claims-based-auth?view=exchserver-2019

    Thanks,

    Ashish

    Thursday, December 6, 2018 2:19 PM
  • Here is link to get it done. It is applicable for Exchange 2016 and Exchange 2019.

    However method which is described on msexchangeguru.com site is still valid for Exchange 2016.

    https://docs.microsoft.com/en-us/Exchange/clients/outlook-on-the-web/ad-fs-claims-based-auth?view=exchserver-2019

    Thanks,

    Ashish

    Another option is publishing OWA/ECP using Azure AD App Proxy, then we could use cloud-based MFA with Azure AD

    Similar link for reference: MFA on premises Exchange 2016.

    Regards,

    Manu Meng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Proposed as answer by Manu Meng Monday, December 10, 2018 10:06 AM
    • Marked as answer by Marzzie Tuesday, December 11, 2018 9:45 AM
    Friday, December 7, 2018 8:10 AM
  • Just checking in to see if above information was helpful. Please let us know if you would like further assistance.

    Regards,

    Manu Meng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Tuesday, December 11, 2018 9:38 AM
  • Thanks for the responses.

    I checked the option to use AD App Proxy, but only seems to work for OWA and ECP, not ews for example. At least, it is not supported by Microsoft. I voted for the suggestion: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/13912968-can-azure-ad-application-proxy-be-used-for-publisi

    At this point in time we use the same url for all Exchange services, So unfortunately Azure WAP this is not a good option to implement MFA for on-prem Exchange.

    I think the best way for us is to use the on-prem WAP and ADFS to implement MFA for OWA and ECP, while keeping the other services on pass-through.

    Does this seem a logical conclusion?

    Tuesday, December 11, 2018 9:45 AM