Forum Discussion
Is it possible to achieve a more secure user authentication and authorization with on-prem Exch ?
Hello experts,
consider a scenario where medium sized companies are still running a supported version of Exchange 2013 or newer On-Prem and for whatever reason are reluctant to commit to Office 365, for example because they invested a lot of money in Microsoft Exchange and infrastructure licenses over the last years.
At the same time, these companies have realized the need to plan for and implement a more secure user authentication and authorization with the on-prem Exchange server. The main concern here are the recent critical Exchange Server vulnerabilities due to Exchange endpoints being exposed to the outside world.
I've been digging through a lot of information to get a clear high level answer on this subject, and here are some of the conclusions I got so far (please correct me if I'm wrong at any point):
==================================================
1 – Microsoft does not provide any on-prem solution that can be integrated with an on-prem Exchange server in order to implement a more secure user authentication and authorization with the latter
2 – Some third parties provide solutions (Cisco Duo and Kemp LoadMaster to name a couple) that can be integrated with an on-prem Exchange server, but unfortunately these solutions seem to be restricted to a subset of the Exchange endpoints exposed to the outside world. For example, they cannot add two-factor authentication to the ActiveSync or Outlook Anywhere endpoints
3 – Microsoft provides Hybrid modern authentication with Exchange 2013 or newer On-Prem, however it is not clear to me if HMA offers a more secure user authentication and authorization not only for OWA, but also for other endpoints such as ActiveSync or Outlook Anywhere
==================================================
To summarize, I am looking for a 10,000 feet overview of the various possibilities for a more secure user authentication and authorization with on-prem Exchange servers.
Any additional observations/recommendations on this matter will be greatly appreciated.
Thanks and Regards,
Massimiliano
- surajbudhaniMicrosoft
The best way to go forward with this is HMA.
You can use a combination of conditional access and Intune to add extra layer of protection for the user sign in attempts to your organization.Modern authentication is an umbrella term for a combination of authentication and authorization methods between a client (for example, your laptop or your phone) and a server, as well as some security measures that rely on access policies that you may already be familiar with. It includes:
Authentication methods: Multi-factor authentication (MFA); smart card authentication; client certificate-based authentication
Authorization methods: Microsoft's implementation of Open Authorization (OAuth)
Conditional access policies: Mobile Application Management (MAM) and Azure Active Directory (Azure AD) Conditional Access
I am adding a few URL hope they help you:https://docs.microsoft.com/en-us/Exchange/clients/outlook-for-ios-and-android/use-hybrid-modern-auth?view=exchserver-2019
https://docs.microsoft.com/en-us/mem/intune/protect/conditional-access-exchange-create
https://docs.microsoft.com/en-us/microsoft-365/enterprise/hybrid-modern-auth-overview?view=o365-worldwide - mrizzi2Copper ContributorHello community,
bumping the topic hoping to get some help.
Kind Regards,
M.