question

DhillanKalyan-4084 avatar image
0 Votes"
DhillanKalyan-4084 asked FrankLima-0322 commented

Exchange Server 2016 On-Premise and 2FA/MFA

Hi


I am trying to find some specific info with regards to Exchange Server 2016 on-premise implementation and 2FA/MFA and not finding much luck.


I have a client who is looking to implement a 2FA solution for their on-premise exchange environment. They currently have PingFederate in the environment and are implementing Symantec 2FA as the MFA provider.


From my understanding I believe that we can implement 2FA without any problems for OWA but I have also been asked to investigate the implementation of 2FA for EWS, ActiveSync and the Outlook Mobile app. This is where I cannot find information.


Is it possible to implement 2FA for these services? Please advise

office-exchange-server-administrationoffice-exchange-server-itpro
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AshokM-8240 avatar image
0 Votes"
AshokM-8240 answered AshokM-8240 commented

Hi,

To my knowledge, supported services for MFA in Exchange on-premise are OWA/ECP. There are various methods to achieve this,
1. Using ADFS
2. Cloud based - Azure
3. Reverse proxy + cloud based - for instance, reverse proxy can be integrated with NPS for RADIUS and using NPS extension on that server for secondary authentication in Azure
4. Third party products like PingFederate/Duo and that has the clear documentation on the product itself for configuring MFA for Exchange on-premise

http://msexchangeguru.com/2017/01/16/secure-owa-ecp-with-mfa/
https://practical365.com/exchange-server/exchange-web-services-bypass-multi-factor-authentication/
https://social.msdn.microsoft.com/Forums/en-US/d28e3947-0a19-44d9-b39f-db9a4f6c21f3/mfa-on-premises-exchange-2016?forum=windowsazureactiveauthentication

If the above suggestion is helpful, please click on "Accept Answer" and Upvote it.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Just to check if there are any updates. If the above suggestion helps, please click on "Accept Answer" and upvote it. Thanks for understanding.

0 Votes 0 ·
LucasLiu-MSFT avatar image
0 Votes"
LucasLiu-MSFT answered LucasLiu-MSFT commented

Hi @DhillanKalyan-4084 ,
I agree with what AshokM-8240 said.
In addition, if you use a third-party product to set up MFA for ActiveSync and Outlook on mobile, please note that there are requirements for your mobile system. For specific restrictions, please refer to the instructions of each product.



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @DhillanKalyan-4084 ,
Do suggestions above help? If the issue has been resolved, please click “Accept as answer” to mark helpful reply as an answer, this will make answer searching in the forum easier and be beneficial to other community members as well.

Thanks for your understanding.



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



0 Votes 0 ·

Hi @DhillanKalyan-4084 ,
I am writing here to confirm with you how thing going now? If the above suggestion helps, please click “Accept as answer” to mark helpful reply as an answer.Your action would be helpful to other users who encounter the same issue and read this thread.
Thanks for your understanding.



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·
heavy-d avatar image
0 Votes"
heavy-d answered heavy-d commented

@AshokM-8240
My specific goal is to implement 2FA for On-Prem Exchange 2019 multi-tenant. Above you said the goal could be accomplished by various methods. I'm specifically interested in 1. Using ADFS and 2. Cloud based - Azure. I can find articles that talk about these topics but not specifically how to accomplish my goal. Can you give more info on options 1 and 2 please?
Thanks!!

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

heavy-d avatar image heavy-d AkankshaThakur-8359 ·

@AkankshaThakur-8359 avatar image AkankshaThakur-8359
Thank you so much for the response and suggestion. Unfortunately the higher ups have decided to go an different direction. Thank you again for your input.

0 Votes 0 ·
KeithClark-0602 avatar image
0 Votes"
KeithClark-0602 answered FrankLima-0322 commented

I also am being tasked with 2FA for OWA onprem Exchange 2016 server. I already have 2FA established throughout the domain and remote users with hardware Yubikey Smart cards. I was hoping I could use these same cards rather than having to now support an additional 2FA solution. Is it possible within exchange 2016 On Prem or 2019 Server to support Hardware Tokens FIDO2 ??? Is there any kind of support for my yubikeys to do 2fa for OWA or am I stuck with having to purchase additional solution?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I honestly got tired of all the security issues and the problems with CU for exchange crashing exchange.Sorry microsoft but your exchange care and patching has been terrible for a long time.
I personally created a brand new deploy of 2019 with latest CU and all security patch.
I then created a firewall setup to a reputable smart host for spam, virus and maleware and locked nat only to smart host ip for smtp.
Opened owa only for internal function for workstations not having office.
For phones i created ikev2 vpn and once activated on iphone or droid they are free to enjoy securely and dont even need to interact and all encrypted on the cell.

0 Votes 0 ·
SH-1616 avatar image
0 Votes"
SH-1616 answered BlauerAdmin-9205 published

Hi,

I had the same challenge and ended using DUO 2FA for Exchange 2016 OWA on premise, the setup and configuration was straightforward
owa


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I also run 2019 on-prem Exchange and 100+ users all over the USA who use Outlook to connect and hate OWA .. will DUO work for Outlook end users out on the road and how will that work for cell phone users?

Jeff

0 Votes 0 ·