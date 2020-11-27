Geekzone: technology news, blogs, forums
On-Prem Exchange and Oauth authentication
27-Nov-2020 09:44
I have a bit of a challenge to put forward around how we may want to leverage oAuth authentication for our Exchange server. I am having a real problem locating any information related to doing this *without* Azure - I would go as far as it seems unsupported/not possible.

 

 

 

Essentially, we want all the features of conditional access, 2FA, etc, that can be achieved by using oauth authentication/an external IdP - but the trick here is I want it for MAPI, ActiveSync (preferably) and OWA.

 

I have only been able to find information for using ADFS/SAML for OWA and ECP - this doesn't go far enough, as this means ActiveSync and MAPI are still only Username/pass against AD without any conditional access etc.

 

 

 

I know that Exchange can accept oAuth by default, however what remains to be seen is how you set this up with anything other than Azure. Has anyone had any experience with this, in using an external IdP and *not* using Azure at all? Serving completely on-prem?

  27-Nov-2020 09:56
Are you wanting to do this for local/on network devices as well?

 

For external, you could use Duo for OWA, and then a VPN that does the conditional access/2FA to access the rest (potentially also protected by Duo for single-pane-of-glass)? If you really need it for internal as well you could probably look at any of the number of NGFW solutions, and put the servers behind a firewall.

 

I know none of this is oAuth but I gathered that you were looking for certain features (conditional access, 2FA etc) rather than actually using oAuth specifically?




  27-Nov-2020 10:13
danielfaulknor:

 

Are you wanting to do this for local/on network devices as well?

 

For external, you could use Duo for OWA, and then a VPN that does the conditional access/2FA to access the rest (potentially also protected by Duo for single-pane-of-glass)? If you really need it for internal as well you could probably look at any of the number of NGFW solutions, and put the servers behind a firewall.

 

I know none of this is oAuth but I gathered that you were looking for certain features (conditional access, 2FA etc) rather than actually using oAuth specifically?

 

 

Case here is all users are likely be external to the network. I saw Duo, but it appeared as if they only support protecting OWA and ECP, no mentions of MAPI or ActiveSync.

 

The reason I was liking the look of oAuth as an option is because it also generates a token for a period of time, doesn't require storing the password on the device and from what I can tell, has some ability to enforce adaptive authentication provided you use a capable IdP.

 

 

 

PS: because of the scale we're talking about, we also would prefer agentless for connections coming in, so an ability to leverage existing clients (like iOS, Android, Outlook, etc.) without needing to load an agent that intercepts the authentication to get some version of 2FA would be ideal. 

  27-Nov-2020 10:22
I think you might be right about unsupported/impossible in that case. I did some quick research and didn't come up with much. We've always done something like Duo for OWA/ECP and then a VPN to protect the rest.




  27-Nov-2020 10:37
I spend quite a bit of time with the MS auth side of the world and previously with on-premises MS systems and I don't believe I've seen the scenario you describe in action and I have a feeling that it is unsupported. Many of the client side apps have only really supported MFA in the last couple of years and I don't think exchange on-prem does this well without having Azure or Exchange hybrid in place.

  27-Nov-2020 10:50
Can you provide a few more details around your deployment? You mention your users are extenral to the server - so this isn't for say a local company with AD?




  27-Nov-2020 11:11
You could do Certificate Based Authentication for ActiveSync, made more difficult if not managing the end user devices.

 

Possible that Cloudflare Access could do what you're looking for, but isn't on prem.

