On-Prem Exchange and Oauth authentication

Forums › IT Pro and developers › On-Prem Exchange and Oauth authentication

Aaroona

3193 posts

Uber Geek

#280113 27-Nov-2020 09:44

I have a bit of a challenge to put forward around how we may want to leverage oAuth authentication for our Exchange server. I am having a real problem locating any information related to doing this *without* Azure - I would go as far as it seems unsupported/not possible.

Essentially, we want all the features of conditional access, 2FA, etc, that can be achieved by using oauth authentication/an external IdP - but the trick here is I want it for MAPI, ActiveSync (preferably) and OWA.

I have only been able to find information for using ADFS/SAML for OWA and ECP - this doesn't go far enough, as this means ActiveSync and MAPI are still only Username/pass against AD without any conditional access etc.

I know that Exchange can accept oAuth by default, however what remains to be seen is how you set this up with anything other than Azure. Has anyone had any experience with this, in using an external IdP and *not* using Azure at all? Serving completely on-prem?

danfaulknor

933 posts

Ultimate Geek

Trusted

Prodigi

#2611582 27-Nov-2020 09:56

Are you wanting to do this for local/on network devices as well?

For external, you could use Duo for OWA, and then a VPN that does the conditional access/2FA to access the rest (potentially also protected by Duo for single-pane-of-glass)? If you really need it for internal as well you could probably look at any of the number of NGFW solutions, and put the servers behind a firewall.

I know none of this is oAuth but I gathered that you were looking for certain features (conditional access, 2FA etc) rather than actually using oAuth specifically?

they/them

Prodigi - Optimised IT Solutions
WebOps/DevOps, Managed IT, Hosting and Internet/WAN.

Aaroona

3193 posts

Uber Geek

#2611594 27-Nov-2020 10:13

danielfaulknor:

Are you wanting to do this for local/on network devices as well?

For external, you could use Duo for OWA, and then a VPN that does the conditional access/2FA to access the rest (potentially also protected by Duo for single-pane-of-glass)? If you really need it for internal as well you could probably look at any of the number of NGFW solutions, and put the servers behind a firewall.

I know none of this is oAuth but I gathered that you were looking for certain features (conditional access, 2FA etc) rather than actually using oAuth specifically?

Case here is all users are likely be external to the network. I saw Duo, but it appeared as if they only support protecting OWA and ECP, no mentions of MAPI or ActiveSync.

The reason I was liking the look of oAuth as an option is because it also generates a token for a period of time, doesn't require storing the password on the device and from what I can tell, has some ability to enforce adaptive authentication provided you use a capable IdP.

PS: because of the scale we're talking about, we also would prefer agentless for connections coming in, so an ability to leverage existing clients (like iOS, Android, Outlook, etc.) without needing to load an agent that intercepts the authentication to get some version of 2FA would be ideal.

danfaulknor

933 posts

Ultimate Geek

Trusted

Prodigi

#2611613 27-Nov-2020 10:22

I think you might be right about unsupported/impossible in that case. I did some quick research and didn't come up with much. We've always done something like Duo for OWA/ECP and then a VPN to protect the rest.

they/them

Prodigi - Optimised IT Solutions
WebOps/DevOps, Managed IT, Hosting and Internet/WAN.

mrdrifter

576 posts

Ultimate Geek

ID Verified

Trusted

#2611619 27-Nov-2020 10:37

I spend quite a bit of time with the MS auth side of the world and previously with on-premises MS systems and I don't believe I've seen the scenario you describe in action and I have a feeling that it is unsupported. Many of the client side apps have only really supported MFA in the last couple of years and I don't think exchange on-prem does this well without having Azure or Exchange hybrid in place.

Zeon

3916 posts

Uber Geek

Trusted

#2611626 27-Nov-2020 10:50

Can you provide a few more details around your deployment? You mention your users are extenral to the server - so this isn't for say a local company with AD?

Speedtest 2019-10-14

jnimmo

1097 posts

Uber Geek

#2611643 27-Nov-2020 11:11

You could do Certificate Based Authentication for ActiveSync, made more difficult if not managing the end user devices.

Possible that Cloudflare Access could do what you're looking for, but isn't on prem.