Is it possible to achieve a more secure user authentication and authorization with on-prem Exch ?

Copper Contributor

Hello experts,

 

consider a scenario where medium sized companies are still running a supported version of Exchange 2013 or newer On-Prem and for whatever reason are reluctant to commit to Office 365, for example because they invested a lot of money in Microsoft Exchange and infrastructure licenses over the last years.

 

At the same time, these companies have realized the need to plan for and implement a more secure user authentication and authorization with the on-prem Exchange server. The main concern here are the recent critical Exchange Server vulnerabilities due to Exchange endpoints being exposed to the outside world.

 

I've been digging through a lot of information to get a clear high level answer on this subject, and here are some of the conclusions I got so far (please correct me if I'm wrong at any point):

 

==================================================
1 – Microsoft does not provide any on-prem solution that can be integrated with an on-prem Exchange server in order to implement a more secure user authentication and authorization with the latter
2 – Some third parties provide solutions (Cisco Duo and Kemp LoadMaster to name a couple) that can be integrated with an on-prem Exchange server, but unfortunately these solutions seem to be restricted to a subset of the Exchange endpoints exposed to the outside world. For example, they cannot add two-factor authentication to the ActiveSync or Outlook Anywhere endpoints
3 – Microsoft provides Hybrid modern authentication with Exchange 2013 or newer On-Prem, however it is not clear to me if HMA offers a more secure user authentication and authorization not only for OWA, but also for other endpoints such as ActiveSync or Outlook Anywhere
==================================================

 

To summarize, I am looking for a 10,000 feet overview of the various possibilities for a more secure user authentication and authorization with on-prem Exchange servers.

 

Any additional observations/recommendations on this matter will be greatly appreciated.

 

Thanks and Regards,

 

Massimiliano

2 Replies
Hello community,

bumping the topic hoping to get some help.

Kind Regards,

M.

@mrizzi2 

 

The best way to go forward with this is HMA.

You can use a combination of conditional access and Intune to add extra layer of protection for the user sign in attempts to your organization.

Modern authentication is an umbrella term for a combination of authentication and authorization methods between a client (for example, your laptop or your phone) and a server, as well as some security measures that rely on access policies that you may already be familiar with. It includes:


Authentication methods: Multi-factor authentication (MFA); smart card authentication; client certificate-based authentication

Authorization methods: Microsoft's implementation of Open Authorization (OAuth)

Conditional access policies: Mobile Application Management (MAM) and Azure Active Directory (Azure AD) Conditional Access

I am adding a few URL hope they help you:

https://docs.microsoft.com/en-us/Exchange/clients/outlook-for-ios-and-android/use-hybrid-modern-auth...

https://docs.microsoft.com/en-us/mem/intune/protect/conditional-access-exchange-create

https://docs.microsoft.com/en-us/microsoft-365/enterprise/hybrid-modern-auth-overview?view=o365-worl...