Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersOn-Prem Exchange and Oauth authentication
Aaroona

3204 posts

Uber Geek
+1 received by user: 169


#280113 27-Nov-2020 09:44
Send private message

I have a bit of a challenge to put forward around how we may want to leverage oAuth authentication for our Exchange server. I am having a real problem locating any information related to doing this *without* Azure - I would go as far as it seems unsupported/not possible.

 

 

 

Essentially, we want all the features of conditional access, 2FA, etc, that can be achieved by using oauth authentication/an external IdP - but the trick here is I want it for MAPI, ActiveSync (preferably) and OWA.

 

I have only been able to find information for using ADFS/SAML for OWA and ECP - this doesn't go far enough, as this means ActiveSync and MAPI are still only Username/pass against AD without any conditional access etc.

 

 

 

I know that Exchange can accept oAuth by default, however what remains to be seen is how you set this up with anything other than Azure. Has anyone had any experience with this, in using an external IdP and *not* using Azure at all? Serving completely on-prem?

Create new topic
danfaulknor
974 posts

Ultimate Geek
+1 received by user: 533

Trusted
Prodigi
Subscriber

  #2611582 27-Nov-2020 09:56
Send private message

Are you wanting to do this for local/on network devices as well?

 

For external, you could use Duo for OWA, and then a VPN that does the conditional access/2FA to access the rest (potentially also protected by Duo for single-pane-of-glass)? If you really need it for internal as well you could probably look at any of the number of NGFW solutions, and put the servers behind a firewall.

 

I know none of this is oAuth but I gathered that you were looking for certain features (conditional access, 2FA etc) rather than actually using oAuth specifically?




they/them

 

Prodigi - Optimised IT Solutions
WebOps/DevOps, Managed IT, Hosting and Internet/WAN.



Aaroona

3204 posts

Uber Geek
+1 received by user: 169


  #2611594 27-Nov-2020 10:13
Send private message

danielfaulknor:

 

Are you wanting to do this for local/on network devices as well?

 

For external, you could use Duo for OWA, and then a VPN that does the conditional access/2FA to access the rest (potentially also protected by Duo for single-pane-of-glass)? If you really need it for internal as well you could probably look at any of the number of NGFW solutions, and put the servers behind a firewall.

 

I know none of this is oAuth but I gathered that you were looking for certain features (conditional access, 2FA etc) rather than actually using oAuth specifically?

 

 

Case here is all users are likely be external to the network. I saw Duo, but it appeared as if they only support protecting OWA and ECP, no mentions of MAPI or ActiveSync.

 

The reason I was liking the look of oAuth as an option is because it also generates a token for a period of time, doesn't require storing the password on the device and from what I can tell, has some ability to enforce adaptive authentication provided you use a capable IdP.

 

 

 

PS: because of the scale we're talking about, we also would prefer agentless for connections coming in, so an ability to leverage existing clients (like iOS, Android, Outlook, etc.) without needing to load an agent that intercepts the authentication to get some version of 2FA would be ideal. 

danfaulknor
974 posts

Ultimate Geek
+1 received by user: 533

Trusted
Prodigi
Subscriber

  #2611613 27-Nov-2020 10:22
Send private message

I think you might be right about unsupported/impossible in that case. I did some quick research and didn't come up with much. We've always done something like Duo for OWA/ECP and then a VPN to protect the rest.




they/them

 

Prodigi - Optimised IT Solutions
WebOps/DevOps, Managed IT, Hosting and Internet/WAN.



mrdrifter
589 posts

Ultimate Geek
+1 received by user: 294

ID Verified
Trusted

  #2611619 27-Nov-2020 10:37
Send private message

I spend quite a bit of time with the MS auth side of the world and previously with on-premises MS systems and I don't believe I've seen the scenario you describe in action and I have a feeling that it is unsupported. Many of the client side apps have only really supported MFA in the last couple of years and I don't think exchange on-prem does this well without having Azure or Exchange hybrid in place.

Zeon
3926 posts

Uber Geek
+1 received by user: 759

Trusted

  #2611626 27-Nov-2020 10:50
Send private message

Can you provide a few more details around your deployment? You mention your users are extenral to the server - so this isn't for say a local company with AD?




Speedtest 2019-10-14

jnimmo
1098 posts

Uber Geek
+1 received by user: 255


  #2611643 27-Nov-2020 11:11
Send private message

You could do Certificate Based Authentication for ActiveSync, made more difficult if not managing the end user devices.

 

Possible that Cloudflare Access could do what you're looking for, but isn't on prem.

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright