We’re very happy to announce support for Hybrid Modern Authentication (HMA) with the next set of cumulative updates (CU) for Exchange 2013 and Exchange 2016, that’s CU8 for Exchange Server 2016, and ...
Updated Jul 01, 2019
Version 2.0
Blog Post
Great Article.
A few concerns:
running Get-MapiVirtualDirectory | FL server,*url*
produces only an internalUrl. The internal Url is our internal domain "our-domain.local"
there is no externalurl present.
Is this going to be a problem?
Not if your internalURL is reachable inside and outside the network, or if you only plan on having internal users.
- Wow, thanks for getting back to me. This is awesome.
So all our users are internal, but the internalurl obviously cannot be contacted from the outside. Hence the .local domain associated with the link. Going forward, what will I need to do or read up in order to get this puppy in correct order?
Again, thank you for your time.
- If you don't want or need external access (clients connecting from the internet) you don't need to change anything. Just add your internal URL's as SPN's in AAD and it'll work fine. AAD can and will issue tokens for those URL's if they are configured in the tenant.
The clients will talk to Exchange over the local network, then head to AAD to get a token, then back to Exchange. Your clients need to be able to reach AAD from your internal network.
If you do want to allow external access to Exchange, you need to an valid externalURL's to /mapi, /ews, /oab, make sure there's a certificate with all the right names in place on Exchange (or some proxy device if you use one) and register those URLs in AAD too.