Is it possible to achieve a more secure user authentication and authorization with on-prem Exch ?

%3CLINGO-SUB%20id%3D%22lingo-sub-2985155%22%20slang%3D%22en-US%22%3EIs%20it%20possible%20to%20achieve%20a%20more%20secure%20user%20authentication%20and%20authorization%20with%20on-prem%20Exch%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2985155%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20experts%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Econsider%20a%20scenario%20where%20medium%20sized%20companies%20are%20still%20running%20a%20supported%20version%20of%20Exchange%202013%20or%20newer%20On-Prem%20and%20for%20whatever%20reason%20are%20reluctant%20to%20commit%20to%20Office%20365%2C%20for%20example%20because%20they%20invested%20a%20lot%20of%20money%20in%20Microsoft%20Exchange%20and%20infrastructure%20licenses%20over%20the%20last%20years.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAt%20the%20same%20time%2C%20these%20companies%20have%20realized%20the%20need%20to%20plan%20for%20and%20implement%20a%20more%20secure%20user%20authentication%20and%20authorization%20with%20the%20on-prem%20Exchange%20server.%20The%20main%20concern%20here%20are%20the%20recent%20critical%20Exchange%20Server%20vulnerabilities%20due%20to%20Exchange%20endpoints%20being%20exposed%20to%20the%20outside%20world.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20been%20digging%20through%20a%20lot%20of%20information%20to%20get%20a%20clear%20high%20level%20answer%20on%20this%20subject%2C%20and%20here%20are%20some%20of%20the%20conclusions%20I%20got%20so%20far%20(please%20correct%20me%20if%20I'm%20wrong%20at%20any%20point)%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3CBR%20%2F%3E1%20%E2%80%93%20Microsoft%20does%20not%20provide%20any%20on-prem%20solution%20that%20can%20be%20integrated%20with%20an%20on-prem%20Exchange%20server%20in%20order%20to%20implement%20a%20more%20secure%20user%20authentication%20and%20authorization%20with%20the%20latter%3CBR%20%2F%3E2%20%E2%80%93%20Some%20third%20parties%20provide%20solutions%20(Cisco%20Duo%20and%20Kemp%20LoadMaster%20to%20name%20a%20couple)%20that%20can%20be%20integrated%20with%20an%20on-prem%20Exchange%20server%2C%20but%20unfortunately%20these%20solutions%20seem%20to%20be%20restricted%20to%20a%20subset%20of%20the%20Exchange%20endpoints%20exposed%20to%20the%20outside%20world.%20For%20example%2C%20they%20cannot%20add%20two-factor%20authentication%20to%20the%20ActiveSync%20or%20Outlook%20Anywhere%20endpoints%3CBR%20%2F%3E3%20%E2%80%93%20Microsoft%20provides%20Hybrid%20modern%20authentication%20with%20Exchange%202013%20or%20newer%20On-Prem%2C%20however%20it%20is%20not%20clear%20to%20me%20if%20HMA%20offers%20a%20more%20secure%20user%20authentication%20and%20authorization%20not%20only%20for%20OWA%2C%20but%20also%20for%20other%20endpoints%20such%20as%20ActiveSync%20or%20Outlook%20Anywhere%3CBR%20%2F%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20summarize%2C%20I%20am%20looking%20for%20a%2010%2C000%20feet%20overview%20of%20the%20various%20possibilities%20for%20a%20more%20secure%20user%20authentication%20and%20authorization%20with%20on-prem%20Exchange%20servers.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20additional%20observations%2Frecommendations%20on%20this%20matter%20will%20be%20greatly%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20and%20Regards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMassimiliano%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2985155%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2997251%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20to%20achieve%20a%20more%20secure%20user%20authentication%20and%20authorization%20with%20on-prem%20Exch%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2997251%22%20slang%3D%22en-US%22%3EHello%20community%2C%3CBR%20%2F%3E%3CBR%20%2F%3Ebumping%20the%20topic%20hoping%20to%20get%20some%20help.%3CBR%20%2F%3E%3CBR%20%2F%3EKind%20Regards%2C%3CBR%20%2F%3E%3CBR%20%2F%3EM.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello experts,

 

consider a scenario where medium sized companies are still running a supported version of Exchange 2013 or newer On-Prem and for whatever reason are reluctant to commit to Office 365, for example because they invested a lot of money in Microsoft Exchange and infrastructure licenses over the last years.

 

At the same time, these companies have realized the need to plan for and implement a more secure user authentication and authorization with the on-prem Exchange server. The main concern here are the recent critical Exchange Server vulnerabilities due to Exchange endpoints being exposed to the outside world.

 

I've been digging through a lot of information to get a clear high level answer on this subject, and here are some of the conclusions I got so far (please correct me if I'm wrong at any point):

 

==================================================
1 – Microsoft does not provide any on-prem solution that can be integrated with an on-prem Exchange server in order to implement a more secure user authentication and authorization with the latter
2 – Some third parties provide solutions (Cisco Duo and Kemp LoadMaster to name a couple) that can be integrated with an on-prem Exchange server, but unfortunately these solutions seem to be restricted to a subset of the Exchange endpoints exposed to the outside world. For example, they cannot add two-factor authentication to the ActiveSync or Outlook Anywhere endpoints
3 – Microsoft provides Hybrid modern authentication with Exchange 2013 or newer On-Prem, however it is not clear to me if HMA offers a more secure user authentication and authorization not only for OWA, but also for other endpoints such as ActiveSync or Outlook Anywhere
==================================================

 

To summarize, I am looking for a 10,000 feet overview of the various possibilities for a more secure user authentication and authorization with on-prem Exchange servers.

 

Any additional observations/recommendations on this matter will be greatly appreciated.

 

Thanks and Regards,

 

Massimiliano

2 Replies
Hello community,

bumping the topic hoping to get some help.

Kind Regards,

M.

@mrizzi2 

 

The best way to go forward with this is HMA.

You can use a combination of conditional access and Intune to add extra layer of protection for the user sign in attempts to your organization.

Modern authentication is an umbrella term for a combination of authentication and authorization methods between a client (for example, your laptop or your phone) and a server, as well as some security measures that rely on access policies that you may already be familiar with. It includes:


Authentication methods: Multi-factor authentication (MFA); smart card authentication; client certificate-based authentication

Authorization methods: Microsoft's implementation of Open Authorization (OAuth)

Conditional access policies: Mobile Application Management (MAM) and Azure Active Directory (Azure AD) Conditional Access

I am adding a few URL hope they help you:

https://docs.microsoft.com/en-us/Exchange/clients/outlook-for-ios-and-android/use-hybrid-modern-auth...

https://docs.microsoft.com/en-us/mem/intune/protect/conditional-access-exchange-create

https://docs.microsoft.com/en-us/microsoft-365/enterprise/hybrid-modern-auth-overview?view=o365-worl...