Exchange 2016 Hybrid - Hybrid Modern Authentication only for external connection
We want to use Outlook for iOS / Android with Hybrid Modern Auth to take advantage of CA and Intune. After activation via Set-OrganizationConfig -OAuth2ClientProfileEnabled $ true Set-AuthServer -Identity EvoSTS * -IsDefaultAuthorizationEndpoint $ true all internal Outlook 2016 clients also try to establish a connection via OAuth. Since not all users are synchronized in the AAD, a connection is not possible for these users. Does anyone have an idea how we can activate OAuth only for external connections or only for ActiveSync and the local clients still connect via Negotiate / NTLM?Actual impact to ActiveSync clients when enabling Hybrid Modern Authentication
https://docs.microsoft.com/en-us/office365/enterprise/configure-exchange-server- for-hybrid-modern-authentication I have found in testing that simply enabling Hybrid Modern Authentication doesn't impact existing, allowed (via Exchange ABQ/(default)device access rule(s)) ActiveSync devices. It also seems that I can setup new basic authentication ActiveSync devices after HMA has been enabled. Both these things seem to align with the fact that the process of enabling HMA doesn't involve disabling any authentication mechanisms. Am I misunderstanding this, or do I not have it right? The reason I ask is that, if I am right, then this could really stand to be included in a purple note at the top of the docs article (link at the top of this post). The way all HMA documentation is described, including the announcement blog post, it sounds as though all existing clients are at risk of stopping to work if they can't do modern auth. But in reality (of my testing with vanilla Exchange 2016 CU16), it seems as though the impacts to ActiveSync clients are mainly: New setups with Outlook for iOS and Android and other modern authentication ActiveSync clients will follow the HMA. If unable to get through due to Conditional Access policy, the user can successfully choose to do manual setup and get through using basic authentication. Non modern authentication ActiveSync clients can still use Basic authentication. Existing ActiveSync devices (Outlook for iOS and Android and other modern authentication ActiveSync clients included) will continue to work using Basic authentication and won't automatically change over to HMA. I'd like to fact check this understanding before I submit a pull request to include this info in the article. My testing with Exchange 2016 CU16 confirms these findings, but it would be nice to have it confirmed as the expected behavior. I really think it would help with adoption since the impact to existing ActiveSync clients is a lot less than customers might otherwise assume. Thanks in advance.
