Jun 24 2020 02:07 AM
https://docs.microsoft.com/en-us/office365/enterprise/configure-exchange-server-
for-hybrid-modern-authentication
I have found in testing that simply enabling Hybrid Modern Authentication doesn't impact existing, allowed (via Exchange ABQ/(default)device access rule(s)) ActiveSync devices. It also seems that I can setup new basic authentication ActiveSync devices after HMA has been enabled. Both these things seem to align with the fact that the process of enabling HMA doesn't involve disabling any authentication mechanisms.
Am I misunderstanding this, or do I not have it right?
The reason I ask is that, if I am right, then this could really stand to be included in a purple note at the top of the docs article (link at the top of this post). The way all HMA documentation is described, including the announcement blog post, it sounds as though all existing clients are at risk of stopping to work if they can't do modern auth. But in reality (of my testing with vanilla Exchange 2016 CU16), it seems as though the impacts to ActiveSync clients are mainly:
I'd like to fact check this understanding before I submit a pull request to include this info in the article. My testing with Exchange 2016 CU16 confirms these findings, but it would be nice to have it confirmed as the expected behavior. I really think it would help with adoption since the impact to existing ActiveSync clients is a lot less than customers might otherwise assume.
Thanks in advance.
Jun 24 2020 02:24 AM
I will also add that I test successfully with Outlook for Android and can setup both "Exchange" and "Exchange (Hybrid)" accounts. When enforcing via Conditional Access, I can successfully limit the latter to only compliant devices (which I've enrolled to Intune). That plus the fact that I have 100% positive results with the validation script (https://gallery.technet.microsoft.com/office/Validating-Hybrid-Modern-ad4c2b16), is making me think I'm not way out in left field.
Again, the "Configure Hybrid Modern Authentication" article doesn't make any changes to existing authentication settings on virtual directories, other than to add OAuth if necessary to MAPI, EWS, OAB, and Autodiscover. ActiveSync VD's are checked for URL's, but not checked after for OAuth (nor do I see any OAuth properties on my ActiveSync VD's).
So I feel like HMA out of the box, without any additional disabling of other auth. mechanisms on your VD's, is available, but not enforced. This would be ideal for a smooth rollout. And if it's actually like this, then this is a big selling point to enabling HMA which I don't see getting sold at all, anywhere.
Jun 24 2020 02:27 AM
Last point I want to add is that my pre-existing and new setups via the Gmail app, i.e. basic auth, continue to work without issue, post-enabling HMA.
May 26 2021 10:27 AM
Jun 01 2021 05:27 AM
@bbolling2342 I'm glad it helped, and also nice to have another person present in my thread, so I'm not just on an island by myself bantering:).
Since this other topic is fresh for me, a similar and commonly unknown/unsure topic in this realm is the one that was announced here: Upcoming Exchange Online Device Access and Conditional Access changes with Outlook mobile
It's not related to this thread, to confirm. I just am sharing to point out that you can target specific users with Conditional Access policies in order to allow them to use the Outlook app, requiring either or both the device to be managed/compliant and an Intune App Protection policy to be applied, all while NOT targeting other users, and still have those other users be unallowed to use the Outlook app, by relying on Device Access Rules in EXO. The users who are targeted by the CA policies will simply bypass the EXO Device Access Rules. This is a big deal for customers who have historically disallowed the Outlook mobile app but are now trying to make the switch. That process is now a walk in the park.
The big parallel between these two topics is that the Exchange Team has managed to enable customers to granularly roll out some pretty big changes, WITHOUT impacting existing clients/devices. Both topics are fairly lengthy and a little convoluted, so it's easy to miss the great deal that they did accomplish for customers. For this, praise to the @The_Exchange_Team .
Apr 22 2022 03:59 PM