Certificate based authentication for Exchange ActiveSync on-prem through Azure

Occasional Contributor
Hi everyone,

I am trying to find the best possible architecture to secure access to my Exchange servers and I need your help.
I have read and re-read tons and tons of documentation and I can not find the best option and above all, one supported in production by Microsoft.

Until today, we have used Microsoft TMG to protect access to our on-prem Exchange servers. As this solution has not been supported for a long time, I would like to replace it. To do so, I configured Azure AD and the synchronization of our Active Directory with Azure AD Connect. I have already migrated all of my +1500 users from Skype for Business to Teams, everything is working great. I have also configured SSO through Azure AD Connect and Exchange Hybrid Configuration. I have Exchange 2013 that I will migrate to Exchange 2019 in the next few weeks (maybe after Christmas Holidays, haha).

So now I would like to find a solution to replace my TMGs.

My imperatives are to keep on-prem Exchange servers and to keep certificate authentication for ActiveSync. Mobile phones are managed through Intune with which I push the certificates. I have Microsoft E3 licenses for all of my users. I also want to protect access to OWA and enable MFA (I've already been able to do that with Azure AD Application Proxy).

So I still have to find a solution to be able to authenticate my ActiveSync users by certificate in Azure in order to continue not to expose my Exchange servers to the Internet. Maybe it's this possible with Hybrid Modern Authentication through Azure App Proxy? I can't find a correct answer to my questions...

Which solution do you think is the best to complete this job?

Thanks a LOT for your help.

0 Replies