Exchange 2019 On Premise 2FA activation only for some mailboxes users

%3CLINGO-SUB%20id%3D%22lingo-sub-3302503%22%20slang%3D%22en-US%22%3EExchange%202019%20On%20Premise%202FA%20activation%20only%20for%20some%20mailboxes%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3302503%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20an%20AD%20Forest%20with%20Exchange%202019%20containing%20multiple%20MBX%20and%20CAS%20Server%20with%20multiple%20DAG%20as%20a%20Hosted%20Exchange%20for%20our%20customers.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20want%20to%20enable%202FA%20on%20one%20of%20our%20client's%20hosted%20domains.%3CBR%20%2F%3EApparently%20we%20can%20activate%20it%20on%20all%20CAS%20for%20all%20mailboxes%20but%20not%20only%20for%20some.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EWe%20have%20tested%20activating%202FA%20with%20ADFS%20on%20two%20CAS%20servers%20and%20it%20works.%20Now%20we%20want%20to%20restrict%20users%20using%202FA%20to%20only%20use%20these%20two%20CASs%20and%20block%20access%20on%20CASs%20that%20do%20not%20have%202FA%20enabled.%20Because%20otherwise%20it%20is%20possible%20to%20log%20in%20via%20the%20other%20CASs%20on%20their%20mailboxes.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20have%20a%20solution%20to%20do%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20tried%20to%20do%20it%20with%20Exchange%202019%20new-clientaccessrule%20commands%20but%20it%20is%20not%20possible%20with%20Exchange%202019%20On%20Premise%20servers%2C%20some%20parameters%20like%20ExceptAnyOfAuthenticationTypes%20are%20not%20available.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20also%20considered%20doing%3A%3CBR%20%2F%3E-%20A%20second%20Exchange%20organization%20in%20the%20same%20forest%20(this%20is%20not%20possible).-%20A%20second%20forest%20with%20other%20Exchange%20servers%20(new%20organization)%20but%20this%20involves%20a%20lot%20of%20servers%20in%20our%20case.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20advice%20and%20help!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3302503%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2019%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3E2FA%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eadfs%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOn%20Premise%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

Hi !

 

We have an AD Forest with Exchange 2019 containing multiple MBX and CAS Server with multiple DAG as a Hosted Exchange for our customers.

 

We want to enable 2FA on one of our client's hosted domains.
Apparently we can activate it on all CAS for all mailboxes but not only for some.

We have tested activating 2FA with ADFS on two CAS servers and it works. Now we want to restrict users using 2FA to only use these two CASs and block access on CASs that do not have 2FA enabled. Because otherwise it is possible to log in via the other CASs on their mailboxes.

 

Does anyone have a solution to do this?

 

I tried to do it with Exchange 2019 new-clientaccessrule commands but it is not possible with Exchange 2019 On Premise servers, some parameters like ExceptAnyOfAuthenticationTypes are not available.

 

We also considered doing:
- A second Exchange organization in the same forest (this is not possible).- A second forest with other Exchange servers (new organization) but this involves a lot of servers in our case.

 

Thanks for your advice and help!

0 Replies