From time to time, I am asked what solutions are available to provide multi-factor authentication. One way or another, a related request is the ability to protect organizations from password brute force and, as a result, blocking accounts in Active Directory as part of attacks from the Internet.

Unfortunately, my experience in this matter is limited to working with Microsoft products, which to one degree or another help solve these problems and I cannot recommend third-party solutions.

In the case of third-party solutions, the right option for administrators, from my point of view, would be to formulate requirements and technical specifications, as well as direct communication with the manufacturer of such solutions. Documentation and trial distributions for testing products are not always publicly available; the advisability of purchasing specific software may depend on the country and the availability of support in certain languages.

In addition, you need to understand that if problems arise in the functionality of a third-party solution, Microsoft is unlikely to be able to help in here and you will need to contact the manufacturer directly.

While I can’t recommend a specific solution that will work in every situation, I would like to share some thoughts and information on this topic below.

📌Some concepts of authentication

Enhancing security within digital environments is one of the most important tasks in current reality. That’s why customers are looking for sophisticated authentication options that can be implemented in on-premises Exchange Server environments.

First, we need to talk about some concepts used in securing access to resources in a network, like Multi-Factor Authentication (MFA) and Modern Authentication, that are distinct, but complementary concepts.

Multi-Factor Authentication (MFA):  is a security process that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction. The three common categories are something you know (e.g., a password), something you have (e.g., a smart card), and something you are (e.g., a fingerprint).

MFA enhances security by requiring multiple forms of identification before granting access to a system or application.

Modern Authentication: is a term often associated with OAuth 2.0 and OpenID Connect, which are modern protocols and token types used for authentication and authorization. It provides a more secure and interactive way to authenticate users and often incorporates MFA as a part of the authentication process.

📌Multi-Factor in Exchange Server

Before Exchange Server 2019 CU13, the only option to implement MFA more or less natively was AD FS claims-based authentication to connect to Outlook on the web and the Exchange Admin Center (EAC). This option replaces traditional authentication methods like Basic or Forms authentication, provides account lockout feature and Certificate Authentication (i.e., smart card-based authentication) as an extra authentication method: 🔗Use AD FS claims-based authentication with Outlook on the web

ADFS has also account lockout feature that helps with blocking Active Directory accounts.

You can also configure and enable Microsoft and third-party authentication methods in AD FS in Windows Server to achieve other options. There are a lot of third-party providers with MFA offerings on the market and it’s advisable to consult with your organization’s IT department or contact the MFA solution providers directly for further assistance on the setup and integration with Exchange Server and AD FS.

📌Modern Hybrid Authentication in Exchange Server

Modern Authentication is a method of identity management that offers more secure user authentication and authorization. It’s available for Office 365 hybrid deployments of Skype for Business server on-premises and Exchange server on-premises.  Configuring MA results in evoSTS (a Security Token Service used by Microsoft Entra ID) being set as Auth Server for Skype for Business and Exchange server on-premises. Hybrid Modern Authentication allows additional authentication methods: Multifactor authentication (MFA); smart card authentication; client certificate-based authentication.

If you have hybrid configured, it’s pretty easy to enable HMA. But this requires some important preparation and checks because it can break connectivity for clients if something goes wrong. Carefully review all pre-requisites, described in official article

🔗Hybrid modern authentication overview and prerequisites for using it with on-premises Skype for Business and Exchange servers

Also, if clients don’t support Modern Authentication they will continue to use “legacy” authentication methods:

• Basic authentication
• Digest authentication
• Windows authentication (NTLM and Kerberos)

In that case, you would probably would like to go through 🔗Disabling Legacy Authentication in Exchange Server 2019 blog post from Exchange product group.

Before CU14 HMA doesn’t work for OWA and ECP. That means, that you still need to find other way to implement MFA (via ADFS, for example) or block connections via these protocols for external access. After CU14 you can also configure HMA with OWA and ECP 🔗https://learn.microsoft.com/en-us/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication?view=o365-worldwide

For other protocols you can also benefit from features like Conditional Access, for example, to verify that client computer is Hybrid-domain joined, require MFA, configure password-less authentication and so on. Don’t forget to investigate for required licenses.           

📌Modern Authentication in pure Exchange Server

With the release of Exchange Server 2019 CU13, Exchange Server supports OAuth 2.0 (also known as Modern authentication) for pure on-premises environments using ADFS as a security token service (STS). For details carefully read this article 🔗Enable Modern Auth in Exchange Server on-premises | Microsoft Learn

🔎Conclusion

From the point of view of functionality and supportability, the use of intangible assets in a hybrid configuration seems to me the most promising and appropriate solution. However, different organizations may have their own considerations and requirements that will lead to the use of alternative solutions.

If your organization already uses any solution to this problem, please, share your opinion and experience of use in the comments.

Thanks for attention and have a great day!

End.