Exchange Server 2016 On-Premise and 2FA/MFA

%3CLINGO-SUB%20id%3D%22lingo-sub-1841174%22%20slang%3D%22en-US%22%3EExchange%20Server%202016%20On-Premise%20and%202FA%2FMFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1841174%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20find%20some%20specific%20info%20with%20regards%20to%20Exchange%20Server%202016%20on-premise%20implementation%20and%202FA%2FMFA%20and%20not%20finding%20much%20luck.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20client%20who%20is%20looking%20to%20implement%20a%202FA%20solution%20for%20their%20on-premise%20exchange%20environment.%20They%20currently%20have%20PingFederate%20in%20the%20environment%20and%20are%20implementing%20Symantec%202FA%20as%20the%20MFA%20provider.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFrom%20my%20understanding%20I%20believe%20that%20we%20can%20implement%202FA%20without%20any%20problems%20for%20OWA%20but%20I%20have%20also%20been%20asked%20to%20investigate%20the%20implementation%20of%202FA%20for%20EWS%2C%20ActiveSync%20and%20the%20Outlook%20Mobile%20app.%26nbsp%3B%20This%20is%20where%20I%20cannot%20find%20information.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20implement%202FA%20for%20these%20services%3F%20Please%20advise%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1841174%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2FA%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMFA%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOutlook%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1856912%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Server%202016%20On-Premise%20and%202FA%2FMFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1856912%22%20slang%3D%22en-US%22%3EHello%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F548405%22%20target%3D%22_blank%22%3E%40dhillank%3C%2FA%3E%2C%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20securing%20OWA%20and%20ECP%20please%20take%20a%20look%20at%20my%20blog%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.patrickvanbemmelen.nl%2Fsecuring-using-sso-for-owa-ecp-with-the-azure-app-proxy%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.patrickvanbemmelen.nl%2Fsecuring-using-sso-for-owa-ecp-with-the-azure-app-proxy%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20can%20even%20implement%20SSO%20in%20there!%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20EWS%2C%20does%20the%20company%20really%20need%20it%3F%3CBR%20%2F%3EIf%20not%2C%20then%20you%20could%20block%20it%20or%20look%20at%20other%20solutions%20like%20Azure%20AD%20applications%20to%20give%20permissions%20to%20external%20applications.%3CBR%20%2F%3EIt's%20really%20best%20practice%20to%20disable%20ActiveSync%20as%20it%20runs%20on%20basic%20authentication%20which%20isn't%20the%20best%20security%20method%20nowadays.%3CBR%20%2F%3EThe%20Outlook%20Mobile%20App%20does%20support%20OAuth%20and%20if%20you%20setup%20Hybrid%20Modern%20Authentication%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients%2Foutlook-for-ios-and-android%2Fuse-hybrid-modern-auth%3Fview%3Dexchserver-2019%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients%2Foutlook-for-ios-and-android%2Fuse-hybrid-modern-auth%3Fview%3Dexchserver-2019%3C%2FA%3E)%20and%20disable%20legacy%20protocols%20like%20basic%20authentication%20then%20you%20have%20the%20best%20security%20posture%20possible%20for%20an%20on-premise%20Exchange%20Server.%3C%2FLINGO-BODY%3E
New Contributor

Hi

 

I am trying to find some specific info with regards to Exchange Server 2016 on-premise implementation and 2FA/MFA and not finding much luck.

 

I have a client who is looking to implement a 2FA solution for their on-premise exchange environment. They currently have PingFederate in the environment and are implementing Symantec 2FA as the MFA provider.

 

From my understanding I believe that we can implement 2FA without any problems for OWA but I have also been asked to investigate the implementation of 2FA for EWS, ActiveSync and the Outlook Mobile app.  This is where I cannot find information. 

 

Is it possible to implement 2FA for these services? Please advise

 

1 Reply
Hello @dhillank,

For securing OWA and ECP please take a look at my blog:

https://www.patrickvanbemmelen.nl/securing-using-sso-for-owa-ecp-with-the-azure-app-proxy/

You can even implement SSO in there!

For EWS, does the company really need it?
If not, then you could block it or look at other solutions like Azure AD applications to give permissions to external applications.
It's really best practice to disable ActiveSync as it runs on basic authentication which isn't the best security method nowadays.
The Outlook Mobile App does support OAuth and if you setup Hybrid Modern Authentication (https://docs.microsoft.com/en-us/exchange/clients/outlook-for-ios-and-android/use-hybrid-modern-auth...) and disable legacy protocols like basic authentication then you have the best security posture possible for an on-premise Exchange Server.