Nov 19 2021 05:06 AM
Nov 19 2021 05:06 AM
consider a scenario where medium sized companies are still running a supported version of Exchange 2013 or newer On-Prem and for whatever reason are reluctant to commit to Office 365, for example because they invested a lot of money in Microsoft Exchange and infrastructure licenses over the last years.
At the same time, these companies have realized the need to plan for and implement a more secure user authentication and authorization with the on-prem Exchange server. The main concern here are the recent critical Exchange Server vulnerabilities due to Exchange endpoints being exposed to the outside world.
I've been digging through a lot of information to get a clear high level answer on this subject, and here are some of the conclusions I got so far (please correct me if I'm wrong at any point):
1 – Microsoft does not provide any on-prem solution that can be integrated with an on-prem Exchange server in order to implement a more secure user authentication and authorization with the latter
2 – Some third parties provide solutions (Cisco Duo and Kemp LoadMaster to name a couple) that can be integrated with an on-prem Exchange server, but unfortunately these solutions seem to be restricted to a subset of the Exchange endpoints exposed to the outside world. For example, they cannot add two-factor authentication to the ActiveSync or Outlook Anywhere endpoints
3 – Microsoft provides Hybrid modern authentication with Exchange 2013 or newer On-Prem, however it is not clear to me if HMA offers a more secure user authentication and authorization not only for OWA, but also for other endpoints such as ActiveSync or Outlook Anywhere
To summarize, I am looking for a 10,000 feet overview of the various possibilities for a more secure user authentication and authorization with on-prem Exchange servers.
Any additional observations/recommendations on this matter will be greatly appreciated.
Thanks and Regards,
Nov 23 2021 06:07 AM
Nov 25 2021 12:34 AM
The best way to go forward with this is HMA.
You can use a combination of conditional access and Intune to add extra layer of protection for the user sign in attempts to your organization.
Modern authentication is an umbrella term for a combination of authentication and authorization methods between a client (for example, your laptop or your phone) and a server, as well as some security measures that rely on access policies that you may already be familiar with. It includes:
Authentication methods: Multi-factor authentication (MFA); smart card authentication; client certificate-based authentication
Authorization methods: Microsoft's implementation of Open Authorization (OAuth)
Conditional access policies: Mobile Application Management (MAM) and Azure Active Directory (Azure AD) Conditional Access
I am adding a few URL hope they help you: