[Exchange] MFA on-premises

Copper Contributor

Hi everybody

 

Is there a way to activate MFA (2fa) in a 100% on-premises environment?

Is there any documentation?

 

Thanks for help.

 

 

5 Replies

Hi @Marco Antonio da Silva

Can you please describe your setup a little bit. Do you have Exchange and AD on premises only and want MFA? Or do you have a hybrid AD/Azure AD and an on premises Exchange and want MFA ...

 

And is it a Microsoft MFS server you want to deploy? If yes please be aware about the product policy of Microsoft as mentioned here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-deploy

I hope that helps

Cheers
Rolf
#MCT #LearnWithRolf #TheCloud42

Hi @Rolf-42 

 

We have Exchange on-premises with no hybrid mode enabled, but we have AD SYNC with Azure to use other services.
We want to continue with Exchange on-premises without activating hybrid mode, but we want to activate MFA on-premises.

 

Thank you for help.

Hello @Marco Antonio da Silva

Thank you for the clarification. As stated in the doc, that I linked before, new on premises deployments of MFA servers are not offered. You do not even get the link to download the server software.

The callout says "As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication."

What is your motivation to have an on premises MFA server installation? The MFA service in Azure, as an additional security measure, is protecting your identities and by that only indirectly the mailboxes of the users but also all other services that you configure to have MFA.

And your identities are already in hybrid mode. From my perspective an MFA server on premises is not the best architecture and I do not recommend it.

Cheers
Rolf
#MCT #LearnWithRolf #TheCloud42

hello @Rolf-42 

 

Thank for your answer.
I will indicate to my boss a option to configure exchange in hybrid mode and so use all resource of Azure MFA

 

Cheers,

@Marco Antonio da Silva 

 

Hi Marco, I might be a bit late but from what I understand, you do not need to be in Exchange Hybrid but in Azure AD Hybrid which you mentionned you are for other services.

 

Depending on your O365 subs, you could enable MFA for your user and use an AppProxy with conditional rules.

 

I'm actually looking into this route myself. 

 

Best of luck to you.