locked
Azure MFA with MFA server for OnPrem Exchange 2010 RRS feed

  • Question

  • Hi,
    We have a customer currently using Skype Online.
    We have AADconnect configured with password sync.

    They have an OnPrem Exchange 2010 environment, and would like to enable MFA (sms notifications) for their OWA.

    It's not really clear to me if ADFS is required or not, and what components are required.
    Can we configure this with only AADConnect+passwd sync enabled?

    So if I'm correct :
    * MFA server OnPrem
    * sync'd users need an AD Premium license

    we have no hybrid setup, and the customer is only using Skype Online in the tenant.

    Monday, June 6, 2016 7:06 AM

Answers

  • Options are:

    1. Install MFA Server onto all IIS servers that host OWA and configure MFA Server's IIS Authentication. This option is not considered as supported by Exchange. This option allows users to use phone call, two-way SMS, and mobile app notifications. OATH tokens will only work if you configure MFA Server to use Forms-based IIS authentication, but it's easier to configure HTTP-based IIS authentication.

    2. Use claims-based authentication from OWA to ADFS if that's an option in Exchange 2010 (I don't remember if 2010 has that or if that was introduced in 2013), securing ADFS with MFA Server and its ADFS adapter.

    3. Publish OWA via Azure AD App Proxy and use either cloud-based MFA in Azure AD since you are syncing password hashes to AAD and not federating from AAD to ADFS.

    Options 1 and 2 require the MFA Server, which requires the full version of Azure MFA. You can get that by creating an Azure MFA Provider in the Azure portal, or by purchasing stand-alone MFA, AAD Premium or EMS licenses. Option 3 requires AAD Basic or AAD Premium.

    Tuesday, June 7, 2016 6:32 PM
  • Exchange 2010 doesn't support ADFS Based authentications it was introduced in 2013.

    for Above.

    1) Yes you can have AAD Premium license for All users or you can just buy Standalone Azure MFA for Option 1 as stated by Shawn.

    2) Yes you need to install MFA Server on prem to use it with OWA. After installing the MFA Server you need to connect it with Local AD to import your users and enable MFA on those users. 

    I would advice your to read the article Setting up Azure MFA server specially the part How the Azure Multi-Factor Authentication Server handles user data.



    Rahber
    @Rahber

    • Marked as answer by Lyncer2013 Thursday, June 9, 2016 5:34 AM
    Thursday, June 9, 2016 1:37 AM

All replies

  • Hi,

    Thank you for posting your query in MSDN!

    Reference to Shawn's post - https://social.msdn.microsoft.com/Forums/azure/en-US/acf96a19-d958-4b05-9ece-d017517e9504/windows-azure-multi-factor-authentication-for-owa-2010?forum=windowsazureactiveauthentication

    Hope that helps!

    Best Regards

    Sadiqh Ahmed

    ________________________________________________________________________________________________________________

    If this post was helpful to you, please upvote it and/or mark it as an answer so others can more easily find it in the future.

    Tuesday, June 7, 2016 2:49 AM
  • Options are:

    1. Install MFA Server onto all IIS servers that host OWA and configure MFA Server's IIS Authentication. This option is not considered as supported by Exchange. This option allows users to use phone call, two-way SMS, and mobile app notifications. OATH tokens will only work if you configure MFA Server to use Forms-based IIS authentication, but it's easier to configure HTTP-based IIS authentication.

    2. Use claims-based authentication from OWA to ADFS if that's an option in Exchange 2010 (I don't remember if 2010 has that or if that was introduced in 2013), securing ADFS with MFA Server and its ADFS adapter.

    3. Publish OWA via Azure AD App Proxy and use either cloud-based MFA in Azure AD since you are syncing password hashes to AAD and not federating from AAD to ADFS.

    Options 1 and 2 require the MFA Server, which requires the full version of Azure MFA. You can get that by creating an Azure MFA Provider in the Azure portal, or by purchasing stand-alone MFA, AAD Premium or EMS licenses. Option 3 requires AAD Basic or AAD Premium.

    Tuesday, June 7, 2016 6:32 PM
  • Hi Shawn!

    Thanks a lot for the feedback!

    The customer already has Skype4B Online and Intune enabled in their O365 tenant.
    We don't have ADFS enabled, so option 2 won't work for them.

    Is the following correct then?
    * let the customer buy an AADPremium license for all users
    * install the MFA server component

    Installing the server component will "plug in" directly to AD? (or does it also use the AADConnect sync)


    Wednesday, June 8, 2016 9:25 AM
  • Exchange 2010 doesn't support ADFS Based authentications it was introduced in 2013.

    for Above.

    1) Yes you can have AAD Premium license for All users or you can just buy Standalone Azure MFA for Option 1 as stated by Shawn.

    2) Yes you need to install MFA Server on prem to use it with OWA. After installing the MFA Server you need to connect it with Local AD to import your users and enable MFA on those users. 

    I would advice your to read the article Setting up Azure MFA server specially the part How the Azure Multi-Factor Authentication Server handles user data.



    Rahber
    @Rahber

    • Marked as answer by Lyncer2013 Thursday, June 9, 2016 5:34 AM
    Thursday, June 9, 2016 1:37 AM
  • Thanks a lot for the information guys! Really appreciate it!
    Thursday, June 9, 2016 5:34 AM