Multi-Factor Authentication in Exchange and Office 365

Published 11-04-2016 11:48 AM 50.9K Views

Multi-Factor Authentication (MFA), which includes Two-factor authentication (2FA), in Exchange Server and Office 365, is designed to protect against account and email compromise. Microsoft has evaluated recent reports of a potential bypass of 2FA. We have determined that the technique described is not a vulnerability and the potential bypass does not exist on properly configured systems. The reported technique does not pose a risk to Exchange Server or Office 365:

  • In Exchange Server, authentication configuration settings for client endpoints are not shared across protocols.  Supported authentication mechanisms are configured independently on a per protocol endpoint basis.  Multi-Factor Authentication in Exchange Server can be enabled in multiple ways, including OAuth.  Before implementing MFA with Exchange Server it is important that all client protocol touchpoints are identified and configured correctly.
  • In Office 365, when Azure MFA is enabled within a tenant, it is applied to all supported client protocol endpoints. Exchange Web Services (EWS) is an Office 365 client endpoint which is enabled. Outlook on the Web (OWA) and Outlook client access are also enabled in Office 365. Office 365 users may experience a small delay in activation of MFA on all protocols due to propagation of configuration settings and credential cache expiration.
Additional information on enabling OAuth in Office 365 and Exchange Server can be found on and MSDN. The Exchange Team

Not applicable
What about Exchange on premises? Any plans to support MFA for all protocol using Azure MFA or 3rd party?
Not applicable
Sultan, we have previously stated we are working on bringing Modern Auth to on-prem Exchange.
Not applicable
On the first link (enabling OAuth in Office 365) what's the 'downside'? Does it prevent non MFA clients connecting? Why isn't it defaulted to on?
Not applicable
My client would like to know how they can be sure that their Exchange Server protocol touchpoints are “identified and configured correctly.”
Not applicable
Please define "properly configured".
Not applicable
In skype for business users are prompted to type in exchange credentials after 5 hours of inactivity. How to stop this?

Addsync + MFA

Version history
Last update:
‎Jul 01 2019 04:29 PM
Updated by: