locked
2 factor authentication RRS feed

  • Question

  • Dear Experts,

    Is there we can configure 2 factor authentication on user mailbox for on premises Exchange 2016 onward. I can see we can easily configure in office 365. how can we achieve this on-premises exchange model. 

    Wednesday, May 20, 2020 1:30 PM

Answers

  • Yes, you can and this is how you do it:

    Step 1 : Configuration of MFA In Azure
    In this step, you have to combine Exchange 2016 OWA multi factor authentication with Windows RRAS server. When you are done with this, login into a user-enabled with MFA in Azure MFA server because you have to answer the phone before establishing the connection. Following 4 major steps need to perform for this step :

    a) Setup MFA in Microsoft Azure
    b) Install MFA server on-premises
    c) Configure few users in Azure MFA server
    d) Configure the RRAS VPN server with MFA server for using RADIUS for authentication.

    Step 2 : Installation of MFA Server on-premise
    Half of the portion of this step will be done in Step (1), only the difference will occur with OWA. The change will be that you need to install MFA server on the server of Microsoft Exchange to factor authentication procedure is taking place. For this, you can go through the following guidelines :

    a) Open the Server Manager screen and in the features section check that you are having Net 3.5 installed on the machine.
    b) When you are done with the installation, run MFA Server administrative tools. They will appear in the start menu of Windows OS or automatically appear, after a few minutes.
    c) Do not skip current wizard and click on Next. A permission to activate the server will be asked. You need to understand that activating the server is connecting it with your instances of Azure MFA. The email id and password you demand are provided by the vendor of Azure multi-factor authentication, which was used for configuration in Step (1). Now, click on the Generate Activation Credentials from the Download page of MS Azure MFA provider.
    d) The generated credentials remain valid for 10 minutes. Enter them into the configuration wizard of MFA server and click on Next
    e) This allows the MFA server to attempt the Exchange 2016 OWA 2 factor authentication process for reaching towards Azure over TCP443.
    f) Choose the server group, which the configuration should copy around.

    For Example – If you are installing the product on each server of Exchange CAS then, you might be entering ‘Exchange Servers’ as group name at the first installation time and then, proceed with the selection during the installation procedure on the left servers. This configuration will be distributed among all the servers along with the name of the same group. If you are already done the configuration setup then, it will be having different user settings.

    For Example– you might receive a phone call for authenticating the VPN connection but, use the application for OWA logins. This will demand for 2 configs with variations in the server groups. If you require similar settings among all employees of a firm then, one group should be configured.

    g) If you want to keep backup of your defined settings then, you have more than one instances of MFA server in the same group. Click on Yes.
    h) Choose the option of Outlook Web Access (OWA) in the current wizard to continue with Exchange 2016 two factor authentication procedure
    i) Now its the time to select the authentication type. You can use the default of Form-based authentication, or go for any other type whatever suits your need.
    j) Mention the URL to OWA by browsing OWA website over https.

    Step 3 : Configure Users for Exchange 2016 OWA Multi factor Authentication
    Import the list of users on which MFA in Exchange 2016 needs to be imposed. Select the area of Users and then, click on the Import button from Active Directory. Locate the settings for importing group members or organizational units, or search to append a user account. Check that your test users are having the contact number imported from the AD.

    Step 4 : Configuration of OWA with MFA
    This is the last step in Outlook web access to factor authentication procedure. You have to adjust the default HTTP configuration on the IIS Authentication node. This will assure you that each auth attempt is corresponded to user mentioned in the list. If the user is present and is activated then, perform MFA. Otherwise, Succeed Authentication settings need to utilized for the same.

    I hope this helps!

    THe Azure MFA on-prem server is no longer used.

    Wednesday, May 20, 2020 6:05 PM

All replies

  • Yes, you can and this is how you do it:

    Step 1 : Configuration of MFA In Azure
    In this step, you have to combine Exchange 2016 OWA multi factor authentication with Windows RRAS server. When you are done with this, login into a user-enabled with MFA in Azure MFA server because you have to answer the phone before establishing the connection. Following 4 major steps need to perform for this step :

    a) Setup MFA in Microsoft Azure
    b) Install MFA server on-premises
    c) Configure few users in Azure MFA server
    d) Configure the RRAS VPN server with MFA server for using RADIUS for authentication.

    Step 2 : Installation of MFA Server on-premise
    Half of the portion of this step will be done in Step (1), only the difference will occur with OWA. The change will be that you need to install MFA server on the server of Microsoft Exchange to factor authentication procedure is taking place. For this, you can go through the following guidelines :

    a) Open the Server Manager screen and in the features section check that you are having Net 3.5 installed on the machine.
    b) When you are done with the installation, run MFA Server administrative tools. They will appear in the start menu of Windows OS or automatically appear, after a few minutes.
    c) Do not skip current wizard and click on Next. A permission to activate the server will be asked. You need to understand that activating the server is connecting it with your instances of Azure MFA. The email id and password you demand are provided by the vendor of Azure multi-factor authentication, which was used for configuration in Step (1). Now, click on the Generate Activation Credentials from the Download page of MS Azure MFA provider.
    d) The generated credentials remain valid for 10 minutes. Enter them into the configuration wizard of MFA server and click on Next
    e) This allows the MFA server to attempt the Exchange 2016 OWA 2 factor authentication process for reaching towards Azure over TCP443.
    f) Choose the server group, which the configuration should copy around.

    For Example – If you are installing the product on each server of Exchange CAS then, you might be entering ‘Exchange Servers’ as group name at the first installation time and then, proceed with the selection during the installation procedure on the left servers. This configuration will be distributed among all the servers along with the name of the same group. If you are already done the configuration setup then, it will be having different user settings.

    For Example– you might receive a phone call for authenticating the VPN connection but, use the application for OWA logins. This will demand for 2 configs with variations in the server groups. If you require similar settings among all employees of a firm then, one group should be configured.

    g) If you want to keep backup of your defined settings then, you have more than one instances of MFA server in the same group. Click on Yes.
    h) Choose the option of Outlook Web Access (OWA) in the current wizard to continue with Exchange 2016 two factor authentication procedure
    i) Now its the time to select the authentication type. You can use the default of Form-based authentication, or go for any other type whatever suits your need.
    j) Mention the URL to OWA by browsing OWA website over https.

    Step 3 : Configure Users for Exchange 2016 OWA Multi factor Authentication
    Import the list of users on which MFA in Exchange 2016 needs to be imposed. Select the area of Users and then, click on the Import button from Active Directory. Locate the settings for importing group members or organizational units, or search to append a user account. Check that your test users are having the contact number imported from the AD.

    Step 4 : Configuration of OWA with MFA
    This is the last step in Outlook web access to factor authentication procedure. You have to adjust the default HTTP configuration on the IIS Authentication node. This will assure you that each auth attempt is corresponded to user mentioned in the list. If the user is present and is activated then, perform MFA. Otherwise, Succeed Authentication settings need to utilized for the same.

    I hope this helps!

    Wednesday, May 20, 2020 2:24 PM
  • Hi Zeeshan,

    Please check given details below and it might be helpful.

    http://msexchangeguru.com/2017/01/16/secure-owa-ecp-with-mfa/

    Wednesday, May 20, 2020 4:59 PM
  • Dear Experts,

    Is there we can configure 2 factor authentication on user mailbox for on premises Exchange 2016 onward. I can see we can easily configure in office 365. how can we achieve this on-premises exchange model. 

    I would leverage Azure:

    https://docs.microsoft.com/en-us/office365/enterprise/hybrid-modern-auth-overview

    Wednesday, May 20, 2020 6:04 PM
  • Yes, you can and this is how you do it:

    Step 1 : Configuration of MFA In Azure
    In this step, you have to combine Exchange 2016 OWA multi factor authentication with Windows RRAS server. When you are done with this, login into a user-enabled with MFA in Azure MFA server because you have to answer the phone before establishing the connection. Following 4 major steps need to perform for this step :

    a) Setup MFA in Microsoft Azure
    b) Install MFA server on-premises
    c) Configure few users in Azure MFA server
    d) Configure the RRAS VPN server with MFA server for using RADIUS for authentication.

    Step 2 : Installation of MFA Server on-premise
    Half of the portion of this step will be done in Step (1), only the difference will occur with OWA. The change will be that you need to install MFA server on the server of Microsoft Exchange to factor authentication procedure is taking place. For this, you can go through the following guidelines :

    a) Open the Server Manager screen and in the features section check that you are having Net 3.5 installed on the machine.
    b) When you are done with the installation, run MFA Server administrative tools. They will appear in the start menu of Windows OS or automatically appear, after a few minutes.
    c) Do not skip current wizard and click on Next. A permission to activate the server will be asked. You need to understand that activating the server is connecting it with your instances of Azure MFA. The email id and password you demand are provided by the vendor of Azure multi-factor authentication, which was used for configuration in Step (1). Now, click on the Generate Activation Credentials from the Download page of MS Azure MFA provider.
    d) The generated credentials remain valid for 10 minutes. Enter them into the configuration wizard of MFA server and click on Next
    e) This allows the MFA server to attempt the Exchange 2016 OWA 2 factor authentication process for reaching towards Azure over TCP443.
    f) Choose the server group, which the configuration should copy around.

    For Example – If you are installing the product on each server of Exchange CAS then, you might be entering ‘Exchange Servers’ as group name at the first installation time and then, proceed with the selection during the installation procedure on the left servers. This configuration will be distributed among all the servers along with the name of the same group. If you are already done the configuration setup then, it will be having different user settings.

    For Example– you might receive a phone call for authenticating the VPN connection but, use the application for OWA logins. This will demand for 2 configs with variations in the server groups. If you require similar settings among all employees of a firm then, one group should be configured.

    g) If you want to keep backup of your defined settings then, you have more than one instances of MFA server in the same group. Click on Yes.
    h) Choose the option of Outlook Web Access (OWA) in the current wizard to continue with Exchange 2016 two factor authentication procedure
    i) Now its the time to select the authentication type. You can use the default of Form-based authentication, or go for any other type whatever suits your need.
    j) Mention the URL to OWA by browsing OWA website over https.

    Step 3 : Configure Users for Exchange 2016 OWA Multi factor Authentication
    Import the list of users on which MFA in Exchange 2016 needs to be imposed. Select the area of Users and then, click on the Import button from Active Directory. Locate the settings for importing group members or organizational units, or search to append a user account. Check that your test users are having the contact number imported from the AD.

    Step 4 : Configuration of OWA with MFA
    This is the last step in Outlook web access to factor authentication procedure. You have to adjust the default HTTP configuration on the IIS Authentication node. This will assure you that each auth attempt is corresponded to user mentioned in the list. If the user is present and is activated then, perform MFA. Otherwise, Succeed Authentication settings need to utilized for the same.

    I hope this helps!

    THe Azure MFA on-prem server is no longer used.

    Wednesday, May 20, 2020 6:05 PM

  • THe Azure MFA on-prem server is no longer used.

    Yes this is what i have found as well. "As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments".  A very helpful explaining but since Microsoft is not providing then what other way round  i can achieve this. I dont have any office 365 account as well.  
    Friday, May 22, 2020 6:08 AM
  • Hi Zeeshan,

    Please check given details below and it might be helpful.

    http://msexchangeguru.com/2017/01/16/secure-owa-ecp-with-mfa/

    Thanks dear very useful information but it is restricted only to ecp. I would like to get email or sms as soon as standard user mailbox reside on onpermies get a access outlook/owa/ or access using mobile. just like in office365. 
    Friday, May 22, 2020 6:10 AM
  • Yes, you can and this is how you do it:

    Step 1 : Configuration of MFA In Azure
    In this step, you have to combine Exchange 2016 OWA multi factor authentication with Windows RRAS server. When you are done with this, login into a user-enabled with MFA in Azure MFA server because you have to answer the phone before establishing the connection. Following 4 major steps need to perform for this step :

    a) Setup MFA in Microsoft Azure
    b) Install MFA server on-premises
    c) Configure few users in Azure MFA server
    d) Configure the RRAS VPN server with MFA server for using RADIUS for authentication.

    Step 2 : Installation of MFA Server on-premise
    Half of the portion of this step will be done in Step (1), only the difference will occur with OWA. The change will be that you need to install MFA server on the server of Microsoft Exchange to factor authentication procedure is taking place. For this, you can go through the following guidelines :

    a) Open the Server Manager screen and in the features section check that you are having Net 3.5 installed on the machine.
    b) When you are done with the installation, run MFA Server administrative tools. They will appear in the start menu of Windows OS or automatically appear, after a few minutes.
    c) Do not skip current wizard and click on Next. A permission to activate the server will be asked. You need to understand that activating the server is connecting it with your instances of Azure MFA. The email id and password you demand are provided by the vendor of Azure multi-factor authentication, which was used for configuration in Step (1). Now, click on the Generate Activation Credentials from the Download page of MS Azure MFA provider.
    d) The generated credentials remain valid for 10 minutes. Enter them into the configuration wizard of MFA server and click on Next
    e) This allows the MFA server to attempt the Exchange 2016 OWA 2 factor authentication process for reaching towards Azure over TCP443.
    f) Choose the server group, which the configuration should copy around.

    For Example – If you are installing the product on each server of Exchange CAS then, you might be entering ‘Exchange Servers’ as group name at the first installation time and then, proceed with the selection during the installation procedure on the left servers. This configuration will be distributed among all the servers along with the name of the same group. If you are already done the configuration setup then, it will be having different user settings.

    For Example– you might receive a phone call for authenticating the VPN connection but, use the application for OWA logins. This will demand for 2 configs with variations in the server groups. If you require similar settings among all employees of a firm then, one group should be configured.

    g) If you want to keep backup of your defined settings then, you have more than one instances of MFA server in the same group. Click on Yes.
    h) Choose the option of Outlook Web Access (OWA) in the current wizard to continue with Exchange 2016 two factor authentication procedure
    i) Now its the time to select the authentication type. You can use the default of Form-based authentication, or go for any other type whatever suits your need.
    j) Mention the URL to OWA by browsing OWA website over https.

    Step 3 : Configure Users for Exchange 2016 OWA Multi factor Authentication
    Import the list of users on which MFA in Exchange 2016 needs to be imposed. Select the area of Users and then, click on the Import button from Active Directory. Locate the settings for importing group members or organizational units, or search to append a user account. Check that your test users are having the contact number imported from the AD.

    Step 4 : Configuration of OWA with MFA
    This is the last step in Outlook web access to factor authentication procedure. You have to adjust the default HTTP configuration on the IIS Authentication node. This will assure you that each auth attempt is corresponded to user mentioned in the list. If the user is present and is activated then, perform MFA. Otherwise, Succeed Authentication settings need to utilized for the same.

    I hope this helps!

    Thanks very well explained since MFA is no longer supported nor i have offce 365 account do you have any other option to configure 2factor authentication for on permies. 

    Friday, May 22, 2020 6:12 AM
  • Yes, you can and this is how you do it:

    Step 1 : Configuration of MFA In Azure
    In this step, you have to combine Exchange 2016 OWA multi factor authentication with Windows RRAS server. When you are done with this, login into a user-enabled with MFA in Azure MFA server because you have to answer the phone before establishing the connection. Following 4 major steps need to perform for this step :

    a) Setup MFA in Microsoft Azure
    b) Install MFA server on-premises
    c) Configure few users in Azure MFA server
    d) Configure the RRAS VPN server with MFA server for using RADIUS for authentication.

    Step 2 : Installation of MFA Server on-premise
    Half of the portion of this step will be done in Step (1), only the difference will occur with OWA. The change will be that you need to install MFA server on the server of Microsoft Exchange to factor authentication procedure is taking place. For this, you can go through the following guidelines :

    a) Open the Server Manager screen and in the features section check that you are having Net 3.5 installed on the machine.
    b) When you are done with the installation, run MFA Server administrative tools. They will appear in the start menu of Windows OS or automatically appear, after a few minutes.
    c) Do not skip current wizard and click on Next. A permission to activate the server will be asked. You need to understand that activating the server is connecting it with your instances of Azure MFA. The email id and password you demand are provided by the vendor of Azure multi-factor authentication, which was used for configuration in Step (1). Now, click on the Generate Activation Credentials from the Download page of MS Azure MFA provider.
    d) The generated credentials remain valid for 10 minutes. Enter them into the configuration wizard of MFA server and click on Next
    e) This allows the MFA server to attempt the Exchange 2016 OWA 2 factor authentication process for reaching towards Azure over TCP443.
    f) Choose the server group, which the configuration should copy around.

    For Example – If you are installing the product on each server of Exchange CAS then, you might be entering ‘Exchange Servers’ as group name at the first installation time and then, proceed with the selection during the installation procedure on the left servers. This configuration will be distributed among all the servers along with the name of the same group. If you are already done the configuration setup then, it will be having different user settings.

    For Example– you might receive a phone call for authenticating the VPN connection but, use the application for OWA logins. This will demand for 2 configs with variations in the server groups. If you require similar settings among all employees of a firm then, one group should be configured.

    g) If you want to keep backup of your defined settings then, you have more than one instances of MFA server in the same group. Click on Yes.
    h) Choose the option of Outlook Web Access (OWA) in the current wizard to continue with Exchange 2016 two factor authentication procedure
    i) Now its the time to select the authentication type. You can use the default of Form-based authentication, or go for any other type whatever suits your need.
    j) Mention the URL to OWA by browsing OWA website over https.

    Step 3 : Configure Users for Exchange 2016 OWA Multi factor Authentication
    Import the list of users on which MFA in Exchange 2016 needs to be imposed. Select the area of Users and then, click on the Import button from Active Directory. Locate the settings for importing group members or organizational units, or search to append a user account. Check that your test users are having the contact number imported from the AD.

    Step 4 : Configuration of OWA with MFA
    This is the last step in Outlook web access to factor authentication procedure. You have to adjust the default HTTP configuration on the IIS Authentication node. This will assure you that each auth attempt is corresponded to user mentioned in the list. If the user is present and is activated then, perform MFA. Otherwise, Succeed Authentication settings need to utilized for the same.

    I hope this helps!

    Thanks very well explained since MFA is no longer supported nor i have offce 365 account do you have any other option to configure 2factor authentication for on permies. 

    Your only other option is 3rd party then. Symantec, Duo, etc..
    Friday, May 22, 2020 11:26 AM