Home

How to add MFA to your Exchange Online/on-premises mailboxes in 20 minutes or less

%3CLINGO-SUB%20id%3D%22lingo-sub-254729%22%20slang%3D%22en-US%22%3EHow%20to%20add%20MFA%20to%20your%20Exchange%20Online%2Fon-premises%20mailboxes%20in%2020%20minutes%20or%20less%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-254729%22%20slang%3D%22en-US%22%3ESecuring%20Exchange%20doesn't%20have%20to%20be%20hard.%20Learn%20how%20to%20dramatically%20increase%20your%20organization's%20security%20posture%20in%20just%2020%20minutes.%20In%20this%20fast-paced%20session%2C%20learn%20how%20to%20use%20conditional%20access%20and%20MFA%20to%20easily%20secure%20Exchange%20Online%20and%20Exchange%20on-premises%2C%20including%20demos%20of%20the%20end-to-end%20user%20experience.%20We%20cover%20authentication%2C%20how%20to%20configure%20Azure%20Active%20Directory%20and%20Exchange%2C%20licensing%2C%20and%20other%20requirements.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fmyignite.techcommunity.microsoft.com%2Fsessions%2F65653%3Fsource%3DTechCommunity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ECheck%20this%20session%20out%20in%20the%20Ignite%20Session%20Catalogue%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-254729%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ETHR3024%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-265394%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20add%20MFA%20to%20your%20Exchange%20Online%2Fon-premises%20mailboxes%20in%2020%20minutes%20or%20less%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-265394%22%20slang%3D%22en-US%22%3Ep.s.%20do%20you%20do%20a%20separate%20policy%20for%20mobile%20devices%3F%20I%20notice%20that%20I'm%20getting%20prompted%20every%20day%2Fother%20day%20or%20so%20by%20both%20ios%20Mail%20and%20Outlook%20for%20iOS%20to%20reenter%20my%20pw%20(and%20MFA)...%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-265393%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20add%20MFA%20to%20your%20Exchange%20Online%2Fon-premises%20mailboxes%20in%2020%20minutes%20or%20less%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-265393%22%20slang%3D%22en-US%22%3E%3CP%3EAha!%26nbsp%3B%20I%20hadn't%20looked%20into%20the%20preview%20of%20device%20state%20details.%26nbsp%3B%20Perfect%2C%20thanks!!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-265391%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20add%20MFA%20to%20your%20Exchange%20Online%2Fon-premises%20mailboxes%20in%2020%20minutes%20or%20less%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-265391%22%20slang%3D%22en-US%22%3E%3CP%3EIt's%20working%20for%20me.%20I%20created%20a%20CA%20policy%20called%2C%20%22MFA%20All%20except%20hybrid%20AAD-joined%22.%26nbsp%3B%20Assignments%20are%20all%20cloud%20apps%20and%20the%20device%20state%20condition%20is%20all%20device%20states%20except%20Device%20Hybrid%20Azure%20AD-joined.%20Set%20the%20control%20to%20Grant%20and%20require%20MFA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-265321%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20add%20MFA%20to%20your%20Exchange%20Online%2Fon-premises%20mailboxes%20in%2020%20minutes%20or%20less%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-265321%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Jeff!%26nbsp%3B%20We%20are%20looking%20into%20rolling%20out%20CA%20as%20well.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20testing%20has%20been%20a%20bit%20frustrating%20though...%26nbsp%3B%20We%20have%20a%20test%20policy%20created%20that%20triggers%20a%20requirement%20for%20*one*%20of%20two%20things%20-%20MFA%20or%20AADjoined%20computer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20test%20from%20an%20AADjoined%20computer%2C%20we%20still%20get%20prompted%20for%20MFA.%26nbsp%3B%20MS%20Support%20has%20been%20useless%20(only%20good%20for%20calling%20me%20at%204%3A30am%20with%20zero%20helpful%20information).%26nbsp%3B%20Have%20you%20seen%20anything%20like%20this%3F%26nbsp%3B%20Our%20expectation%20is%20that%20with%20it%20set%20this%20way%2C%20we%20should%20only%20have%20to%20MFA%20if%20connecting%20from%20a%20non-aadjoined%20machine%20(we%20are%20running%20hybrid%20ad%2Faad%20joined%20machines).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-265319%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20add%20MFA%20to%20your%20Exchange%20Online%2Fon-premises%20mailboxes%20in%2020%20minutes%20or%20less%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-265319%22%20slang%3D%22en-US%22%3E%3CP%3EFYI%20-%20I%20posted%20a%20follow-up%20article%20on%20my%20blog%3A%26nbsp%3B%3C%2FP%3E%0A%3CH1%20class%3D%22post-title%20entry-title%22%20id%3D%22toc-hId-1845839144%22%20id%3D%22toc-hId-1931720836%22%3E%3CA%20href%3D%22http%3A%2F%2Fwww.expta.com%2F2018%2F10%2Fuser-based-mfa-vs-conditional-access-mfa.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUser-based%20MFA%20vs.%20Conditional%20Access%20MFA%3C%2FA%3E%3C%2FH1%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-265317%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20How%20to%20add%20MFA%20to%20your%20Exchange%20Online%2Fon-premises%20mailboxes%20in%2020%20minutes%20or%20less%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-265317%22%20slang%3D%22en-US%22%3E%3CP%3ECorrect.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-265298%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20How%20to%20add%20MFA%20to%20your%20Exchange%20Online%2Fon-premises%20mailboxes%20in%2020%20minutes%20or%20less%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-265298%22%20slang%3D%22en-US%22%3E%3CP%3EThat's%20assuming%20OWA%20has%20a%20dedicated%20namespace%20right...%26nbsp%3B%20if%20it%20doesn't%20then%20I%20guess%20this%20wouldn't%20be%20an%20option%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-265294%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20How%20to%20add%20MFA%20to%20your%20Exchange%20Online%2Fon-premises%20mailboxes%20in%2020%20minutes%20or%20less%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-265294%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20best%20practice%20is%20remove%20the%20current%20A%20record%20for%20OWA%20and%20replace%20it%20with%20a%20CNAME%20record%20that%20points%20to%20the%20app%20proxy%20application.%20That%20way%2C%20it%20doesn't%20break%20anyone's%20bookmarks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-265286%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20How%20to%20add%20MFA%20to%20your%20Exchange%20Online%2Fon-premises%20mailboxes%20in%2020%20minutes%20or%20less%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-265286%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Jeff!%26nbsp%3B%20That's%20exactly%20how%20I%20was%20planning%20to%20approach%20it%2C%20so%20that's%20good%20to%20hear...%26nbsp%3B%20However%20I%20was%20curious%20about%20the%20best%20way%20to%20block%20people%20from%20connecting%20directly%20to%20onprem%20OWA.%26nbsp%3B%20Some%20kind%20of%20WAF%20is%20an%20option%20I%20suppose%2C%20but%20I%20was%20also%20considering%20using%20something%20like%20DUO%20mfa%20(which%20we%20currently%20have%20deployed)%20as%20a%20simple%20application-level%20block.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-265221%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20How%20to%20add%20MFA%20to%20your%20Exchange%20Online%2Fon-premises%20mailboxes%20in%2020%20minutes%20or%20less%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-265221%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20question%2C%20Wes.%20This%20can%20be%20done%2C%20as%20well%2C%20but%20I%20didn't%20have%20time%20to%20show%20it%20in%20my%20short%2020%20minute%20session.%20It%20requires%20you%20to%20configure%20an%20Azure%20App%20Proxy%20application%20to%20OWA%20and%20configuring%20SSO%20to%20use%20Windows%20Integrated%20authentication.%20You'll%20create%20a%26nbsp%3Bservice%20principal%20name%20(SPN)%20for%20the%20app%20and%20configure%20Kerberos%20Constrained%20Delegation%20(KDC)%20for%20SSO.%20Then%2C%20OWA%20users%20will%20auth%20to%20Azure%20AD%20and%20be%20prompted%20for%20MFA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-263919%22%20slang%3D%22en-US%22%3ERE%3A%20How%20to%20add%20MFA%20to%20your%20Exchange%20Online%2Fon-premises%20mailboxes%20in%2020%20minutes%20or%20less%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-263919%22%20slang%3D%22en-US%22%3EThanks!%20How%20about%20if%20we%20want%20to%20secure%20onprem%2Fhybrid%20OWA%20with%20Azure%20MFA%20without%20adfs%20in%20the%20picture%3F%3C%2FLINGO-BODY%3E
Highlighted
Community Manager
Securing Exchange doesn't have to be hard. Learn how to dramatically increase your organization's security posture in just 20 minutes. In this fast-paced session, learn how to use conditional access and MFA to easily secure Exchange Online and Exchange on-premises, including demos of the end-to-end user experience. We cover authentication, how to configure Azure Active Directory and Exchange, licensing, and other requirements.

Check this session out in the Ignite Session Catalogue
Session Code
THR3024
Speaker
Jeff Guillet
Session Type
Theater: 20 Minute
Product
Show more
Audience
Personas
Topic
Modern Workplace-Simplified IT Management
Format
Session
Level
Advanced (300)
Show less
11 Replies
Thanks! How about if we want to secure onprem/hybrid OWA with Azure MFA without adfs in the picture?
Session Code
Session Type
Product
Show more
Audience
Personas
Topic
Format
Level
Show less

Good question, Wes. This can be done, as well, but I didn't have time to show it in my short 20 minute session. It requires you to configure an Azure App Proxy application to OWA and configuring SSO to use Windows Integrated authentication. You'll create a service principal name (SPN) for the app and configure Kerberos Constrained Delegation (KDC) for SSO. Then, OWA users will auth to Azure AD and be prompted for MFA.

Session Code
Session Type
Product
Show more
Audience
Personas
Topic
Format
Level
Show less

Thanks Jeff!  That's exactly how I was planning to approach it, so that's good to hear...  However I was curious about the best way to block people from connecting directly to onprem OWA.  Some kind of WAF is an option I suppose, but I was also considering using something like DUO mfa (which we currently have deployed) as a simple application-level block.

Session Code
Session Type
Product
Show more
Audience
Personas
Topic
Format
Level
Show less

My best practice is remove the current A record for OWA and replace it with a CNAME record that points to the app proxy application. That way, it doesn't break anyone's bookmarks.

Session Code
Session Type
Product
Show more
Audience
Personas
Topic
Format
Level
Show less

That's assuming OWA has a dedicated namespace right...  if it doesn't then I guess this wouldn't be an option?

Session Code
Session Type
Product
Show more
Audience
Personas
Topic
Format
Level
Show less

Correct.

Session Code
Session Type
Product
Show more
Audience
Personas
Topic
Format
Level
Show less

FYI - I posted a follow-up article on my blog: 

User-based MFA vs. Conditional Access MFA

Session Code
Session Type
Product
Show more
Audience
Personas
Topic
Format
Level
Show less

Thanks Jeff!  We are looking into rolling out CA as well.

 

My testing has been a bit frustrating though...  We have a test policy created that triggers a requirement for *one* of two things - MFA or AADjoined computer.

 

When I test from an AADjoined computer, we still get prompted for MFA.  MS Support has been useless (only good for calling me at 4:30am with zero helpful information).  Have you seen anything like this?  Our expectation is that with it set this way, we should only have to MFA if connecting from a non-aadjoined machine (we are running hybrid ad/aad joined machines).

 

Thanks!

Session Code
Session Type
Product
Show more
Audience
Personas
Topic
Format
Level
Show less

It's working for me. I created a CA policy called, "MFA All except hybrid AAD-joined".  Assignments are all cloud apps and the device state condition is all device states except Device Hybrid Azure AD-joined. Set the control to Grant and require MFA.

Session Code
Session Type
Product
Show more
Audience
Personas
Topic
Format
Level
Show less

Aha!  I hadn't looked into the preview of device state details.  Perfect, thanks!!

Session Code
Session Type
Product
Show more
Audience
Personas
Topic
Format
Level
Show less
p.s. do you do a separate policy for mobile devices? I notice that I'm getting prompted every day/other day or so by both ios Mail and Outlook for iOS to reenter my pw (and MFA)...
Session Code
Session Type
Product
Show more
Audience
Personas
Topic
Format
Level
Show less
Related Conversations
Teams - Chat History
David Gorman in Microsoft Teams on
8 Replies
Remove MS shifts schedule from a Channel in MS Teams
John Crook in Microsoft Teams on
17 Replies
Move Channels between Teams
HerculesConsen in Microsoft Teams on
13 Replies
Auto-Add new employees
Mathias Koprek in Microsoft Teams on
14 Replies
Configuring more than one account in MS-Teams
Biju_Radhakrishnan in Microsoft Teams on
15 Replies