This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 10%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Microsoft no longer supports MFA server for new deployments, but recommends using the [NPS Extension for MFA configuration](https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-nps-rdg "MFA NPS Extension").
[Hybrid Modern Authentication](https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-hybrid-modern-authentication-for-exchange-on-premises/ba-p/607476 "Hybrid Modern Authentication") works for Outlook clients, but does not appear to provide MFA enforcement for OWA. In our scenario, we have Azure AD Connect deployed with pass-through authentication (No ADFS). Is there a way to enforce MFA on OWA for end users either using the NPS extension or another AD cloud service? We have Exchange 2016 Server with CU 15 deployed.
You might try setting up a Conditional Access requiring MFA and then selecting Office 365 application (cloud apps, not the software).
Thanks for the help but this does not apply to my question. My question is for OWA provided by an on-premise Exchange Server, not Office 365 (Exchange Online). Exchange Online natively supports MFA, and only needs to be set to require MFA from within Azure AD. Users with on-premise Mailboxes must log in through OWA on premise, and OWA is an IIS web app integrated with Exchange Server on-premise.
Thinking on the lines of Application Proxy, then you can apply Conditional Access to the traffic (hence requiring MFA.
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy
https://thesleepyadmins.com/2019/02/10/configure-mfa-for-azure-application-proxy/