Exchange 2010 AADAP publishing - not logging off / custom logoff url?

%3CLINGO-SUB%20id%3D%22lingo-sub-77778%22%20slang%3D%22en-US%22%3EExchange%202010%20AADAP%20publishing%20-%20not%20logging%20off%20%2F%20custom%20logoff%20url%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-77778%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20AADAP%20query.%3C%2FP%3E%3CP%3EI've%20noticed%20that%20if%20publishing%20Exchange%202010%20OWA%20through%20AADAP%20(Azure%20AD%20Application%20Proxy)%20that%20the%20logout%20doesnt%20log%20you%20out.%3C%2FP%3E%3CP%3EI%20believe%20this%20is%20down%20to%20the%20fact%20that%20Exchange%202010%20uses%20the%20legacy%20logoff%20url%20of%20%2FOWA%2Flogoff.owa%20instead%20of%20the%20modern%20%2Fowa%2Fauth%2Flogoff.aspx%2C%20so%20AADAP%20doesnt%20recognise%20a%20request%20for%20logoff.owa%20as%20a%20logout%20request%2C%20maintaining%20the%20authenticated%20session%2C%20allowing%20the%20user%20to%20just%20browse%20back%20into%20their%20mailbox.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20shared%20computers%2Fkiosk%20systems%20this%20is%20obviously%20an%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eis%20there%20any%20way%20to%20specify%20the%20logoff%20url%20within%20AADAP%2C%20or%20could%20logoff.owa%20be%20added%20to%20the%20default%20logout%20request%20URLs%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethe%20only%20thing%20i%20have%20found%20online%20references%20a%20deprecated%20configuration%20item.%3C%2FP%3E%3CP%3E(although%2C%20now%20i%20have%20said%20that%2C%26nbsp%3B%20havent%20actually%20dropped%20in%20to%20powershell%20to%20see%20if%20there%20is%20a%20setting%20that%20isnt%20surfaced%20through%20the%20UI%2C%20which%20i%20will%20now%20go%20and%20do..)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-77778%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApp%20Services%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-78109%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%202010%20AADAP%20publishing%20-%20not%20logging%20off%20%2F%20custom%20logoff%20url%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-78109%22%20slang%3D%22en-US%22%3Ealso...%3CBR%20%2F%3Einitial%20testing%20implies%20that%20doesn't%20do%20anything%2C%20possibly%20as%20the%20service%20is%20IWA%2FKCD%20rather%20than%20openID%20as%20per%20this%20article%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fresources%2Fsamples%2Factive-directory-dotnet-webapp-openidconnect%2F%3Fv%3D17.23h%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fresources%2Fsamples%2Factive-directory-dotnet-webapp-openidconnect%2F%3Fv%3D17.23h%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-77782%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%202010%20AADAP%20publishing%20-%20not%20logging%20off%20%2F%20custom%20logoff%20url%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-77782%22%20slang%3D%22en-US%22%3Ealso%2C%20the%20setting%20is%20%22LogoutUrl%22%20not%20logoffurl%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-77781%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%202010%20AADAP%20publishing%20-%20not%20logging%20off%20%2F%20custom%20logoff%20url%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-77781%22%20slang%3D%22en-US%22%3E%3CP%3Eok%2C%20so%2C%20the%20answer%20is.....%3C%2FP%3E%3CP%3Edrop%20to%20powershell%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eusing%20get-azureadapplications%20the%20app%20has%20a%20property%20of%20logoffurl..%20assuming%20that%20isnt%20deprecated%20then%20i'm%20assuming%20setting%20that%20will%20indeed%20perform%20the%20required%20configuration%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi,

 

Another AADAP query.

I've noticed that if publishing Exchange 2010 OWA through AADAP (Azure AD Application Proxy) that the logout doesnt log you out.

I believe this is down to the fact that Exchange 2010 uses the legacy logoff url of /OWA/logoff.owa instead of the modern /owa/auth/logoff.aspx, so AADAP doesnt recognise a request for logoff.owa as a logout request, maintaining the authenticated session, allowing the user to just browse back into their mailbox.

 

With shared computers/kiosk systems this is obviously an issue.

 

is there any way to specify the logoff url within AADAP, or could logoff.owa be added to the default logout request URLs?

 

the only thing i have found online references a deprecated configuration item.

(although, now i have said that,  havent actually dropped in to powershell to see if there is a setting that isnt surfaced through the UI, which i will now go and do..)

 

 

3 Replies

ok, so, the answer is.....

drop to powershell

 

using get-azureadapplications the app has a property of logoffurl.. assuming that isnt deprecated then i'm assuming setting that will indeed perform the required configuration :)

also, the setting is "LogoutUrl" not logoffurl
also...
initial testing implies that doesn't do anything, possibly as the service is IWA/KCD rather than openID as per this article:
https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-openidconnect/?v=...