Forum Discussion

mrizzi2's avatar
mrizzi2
Copper Contributor
Nov 19, 2021

Is it possible to achieve a more secure user authentication and authorization with on-prem Exch ?

Hello experts,

 

consider a scenario where medium sized companies are still running a supported version of Exchange 2013 or newer On-Prem and for whatever reason are reluctant to commit to Office 365, for example because they invested a lot of money in Microsoft Exchange and infrastructure licenses over the last years.

 

At the same time, these companies have realized the need to plan for and implement a more secure user authentication and authorization with the on-prem Exchange server. The main concern here are the recent critical Exchange Server vulnerabilities due to Exchange endpoints being exposed to the outside world.

 

I've been digging through a lot of information to get a clear high level answer on this subject, and here are some of the conclusions I got so far (please correct me if I'm wrong at any point):

 

==================================================
1 – Microsoft does not provide any on-prem solution that can be integrated with an on-prem Exchange server in order to implement a more secure user authentication and authorization with the latter
2 – Some third parties provide solutions (Cisco Duo and Kemp LoadMaster to name a couple) that can be integrated with an on-prem Exchange server, but unfortunately these solutions seem to be restricted to a subset of the Exchange endpoints exposed to the outside world. For example, they cannot add two-factor authentication to the ActiveSync or Outlook Anywhere endpoints
3 – Microsoft provides Hybrid modern authentication with Exchange 2013 or newer On-Prem, however it is not clear to me if HMA offers a more secure user authentication and authorization not only for OWA, but also for other endpoints such as ActiveSync or Outlook Anywhere
==================================================

 

To summarize, I am looking for a 10,000 feet overview of the various possibilities for a more secure user authentication and authorization with on-prem Exchange servers.

 

Any additional observations/recommendations on this matter will be greatly appreciated.

 

Thanks and Regards,

 

Massimiliano

Resources