Disallow proxied basic authentication from EAS/EWS from O365 to ADFS for native apps RRS feed

  • Question

  • Hi,

    when a user uses a non-ADAL compatible client application (e.g.  Exchange Active Sync, or Exchange Web Services), like the built-in mail client on iOS phones. In this case, there is no real ADAL happening but instead the username / password are sent to Exchange Web Services, and from there (somehow) redirected to my on-premise ADFS to validate them.

    As described here http://techgenix.com/exchange-online-identity-models-authentication-demystified-part3/ in the topic: "Basic Authentication (Basic Auth Profiles)"

    I want to disallow this case and want to make sure users cannot use any native, non ADAL, basic auth application like the built-in mail client in iOS to authenticate to my ADFS for Office 365.

    Is it possible to setup some client IP rules on ADFS to deny any authentication requests coming from O365 EWS source IPs? Or is O365 EWS using a special endpoint that i can disabled?


    Tuesday, June 27, 2017 8:49 PM

All replies