cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Actual impact to ActiveSync clients when enabling Hybrid Modern Authentication

Jeremy Bradshaw
Steel Contributor

‎Jun 24 2020 02:07 AM

‎Jun 24 2020 02:07 AM

Actual impact to ActiveSync clients when enabling Hybrid Modern Authentication

https://docs.microsoft.com/en-us/office365/enterprise/configure-exchange-server-

for-hybrid-modern-authentication

 

I have found in testing that simply enabling Hybrid Modern Authentication doesn't impact existing, allowed (via Exchange ABQ/(default)device access rule(s)) ActiveSync devices.  It also seems that I can setup new basic authentication ActiveSync devices after HMA has been enabled.  Both these things seem to align with the fact that the process of enabling HMA doesn't involve disabling any authentication mechanisms.

 

Am I misunderstanding this, or do I not have it right?

 

The reason I ask is that, if I am right, then this could really stand to be included in a purple note at the top of the docs article (link at the top of this post).  The way all HMA documentation is described, including the announcement blog post, it sounds as though all existing clients are at risk of stopping to work if they can't do modern auth.  But in reality (of my testing with vanilla Exchange 2016 CU16), it seems as though the impacts to ActiveSync clients are mainly:

 

  1. New setups with Outlook for iOS and Android and other modern authentication ActiveSync clients will follow the HMA. If unable to get through due to Conditional Access policy, the user can successfully choose to do manual setup and get through using basic authentication. Non modern authentication ActiveSync clients can still use Basic authentication.
  2. Existing ActiveSync devices (Outlook for iOS and Android and other modern authentication ActiveSync clients included) will continue to work using Basic authentication and won't automatically change over to HMA.

I'd like to fact check this understanding before I submit a pull request to include this info in the article.  My testing with Exchange 2016 CU16 confirms these findings, but it would be nice to have it confirmed as the expected behavior.  I really think it would help with adoption since the impact to existing ActiveSync clients is a lot less than customers might otherwise assume.

 

Thanks in advance.

6,415 Views
1 Like
5 Replies
Reply
5 Replies
Jeremy Bradshaw

‎Jun 24 2020 02:24 AM

‎Jun 24 2020 02:24 AM

Re: Actual impact to ActiveSync clients when enabling Hybrid Modern Authentication

I will also add that I test successfully with Outlook for Android and can setup both "Exchange" and "Exchange (Hybrid)" accounts.  When enforcing via Conditional Access, I can successfully limit the latter to only compliant devices (which I've enrolled to Intune).   That plus the fact that I have 100% positive results with the validation script (https://gallery.technet.microsoft.com/office/Validating-Hybrid-Modern-ad4c2b16), is making me think I'm not way out in left field.

 

Again, the "Configure Hybrid Modern Authentication" article doesn't make any changes to existing authentication settings on virtual directories, other than to add OAuth if necessary to MAPI, EWS, OAB, and Autodiscover.  ActiveSync VD's are checked for URL's, but not checked after for OAuth (nor do I see any OAuth properties on my ActiveSync VD's).

 

So I feel like HMA out of the box, without any additional disabling of other auth. mechanisms on your VD's, is available, but not enforced.  This would be ideal for a smooth rollout.  And if it's actually like this, then this is a big selling point to enabling HMA which I don't see getting sold at all, anywhere.

1 Like
Reply
Jeremy Bradshaw

‎Jun 24 2020 02:27 AM

‎Jun 24 2020 02:27 AM

Re: Actual impact to ActiveSync clients when enabling Hybrid Modern Authentication

Last point I want to add is that my pre-existing and new setups via the Gmail app, i.e. basic auth, continue to work without issue, post-enabling HMA.

1 Like
Reply
bbolling2342

‎May 26 2021 10:27 AM

‎May 26 2021 10:27 AM

Re: Actual impact to ActiveSync clients when enabling Hybrid Modern Authentication

Jeremy, thank you for sharing your experience. I'm working on the planning stages of implementing HMA and had the same questions. Documentation hasn't changed much since when you went through this last year unfortunately so this really helps alleviate some of the concern I had.
0 Likes
Reply
Jeremy Bradshaw

‎Jun 01 2021 05:27 AM

‎Jun 01 2021 05:27 AM

Re: Actual impact to ActiveSync clients when enabling Hybrid Modern Authentication

@bbolling2342 I'm glad it helped, and also nice to have another person present in my thread, so I'm not just on an island by myself bantering:).

 

Since this other topic is fresh for me, a similar and commonly unknown/unsure topic in this realm is the one that was announced here: Upcoming Exchange Online Device Access and Conditional Access changes with Outlook mobile 

It's not related to this thread, to confirm. I just am sharing to point out that you can target specific users with Conditional Access policies in order to allow them to use the Outlook app, requiring either or both the device to be managed/compliant and an Intune App Protection policy to be applied, all while NOT targeting other users, and still have those other users be unallowed to use the Outlook app, by relying on Device Access Rules in EXO. The users who are targeted by the CA policies will simply bypass the EXO Device Access Rules.  This is a big deal for customers who have historically disallowed the Outlook mobile app but are now trying to make the switch.  That process is now a walk in the park.

 

The big parallel between these two topics is that the Exchange Team has managed to enable customers to granularly roll out some pretty big changes, WITHOUT impacting existing clients/devices. Both topics are fairly lengthy and a little convoluted, so it's easy to miss the great deal that they did accomplish for customers.  For this, praise to the @The_Exchange_Team .

0 Likes
Reply
KyleHardin

‎Apr 22 2022 03:59 PM

‎Apr 22 2022 03:59 PM

Re: Actual impact to ActiveSync clients when enabling Hybrid Modern Authentication

Two years on and the documentation still doesn't indicate that enabling HMA does nothing to disable legacy authentication. I wonder if this is because Microsoft does not provide a mechanism for disabling legacy authentication in Exchange 2016 at all (you can in Exchange 2019).

We configured HMA (in conjunction with AAD-AP for OWA) with two goals in mind:
1. Take on-prem Exchange off of the public internet and make it only accessible to EXO's IP ranges.
2. Enforce MFA and conditional access across the board for on-prem mailboes.

Unfortunately, we've since discovered that HMA doesn't accomplish either of these goals, which makes the whole additional HMA security layer rather pointless.
1. With HMA, EXO redirects to on-prem EXCH (rather than proxying) so you still need to have on-prem EXCH reachable to the public internet.
2. There's no way to disable legacy auth (on EXCH2016) so an attacker can just disable support for HMA on their side, and they're right back to plain username and password based legacy authentication.

Really a disappointing security theater on Microsoft's part with these shortcomings in mind.
0 Likes
Reply