Overview
As part of our ongoing security efforts, we have made a recent change to Certificate-Based Authentication (CBA) behavior for Exchange ActiveSync. The enhancement is designed to support TLS 1.3, strengthening security and reliability for our customers.
What's changing?
With this change, all Exchange ActiveSync CBA traffic will be routed to new, dedicated endpoints based on tenant location:
- Multi-tenant: outlook-cba.office365.com
- Dod: outlook-dod-cba.office365.us
- GCC-High: outlook-cba.office365.us
- Gallatin (China): outlook-cba.partner.outlook.cn
This change has already begun to roll out in the worldwide multi-tenant cloud and will start rolling out in other clouds in November.
Potential side effect
For most Exchange ActiveSync clients, this change will be seamless. The client traffic will be implicitly redirected to the new CBA endpoints without any user action required.
However, if your organization uses a Secure Email Gateway (SEG) or similar gateway that filters or inspects ActiveSync traffic, you may need to update your firewall or gateway configuration to allow traffic to and from the new CBA endpoints listed above.
Support
If you have questions or concerns on this change, please contact your SEG vendor. We appreciate your cooperation and commitment to maintaining a secure environment.
Appendix
- RFC 8446 - The Transport Layer Security (TLS) Protocol Version 1.3
- MS-ASHTTP]: Authorization | Microsoft Learn: EAS requests without authorization header will be treated as a CBA request.
The Exchange Team
