Hello @MarileeTurscak,
Thank you for your answer and for asking the product team.
After multiple discussions with the security team, we would agree to do without certificate authentication if I can use Azure AD Application proxy in order to benefit from Conditional Access and thus be able to block certain non-compliant devices in Intunes, for example.
Therefore, it seems that the best option for me is to use Hybrid Modern Authentication (Oauth) to identify my users in the cloud, whether they are on-prem or on EXO.
Can you first confirm that my thinking is correct?
To configure HMA, my on-prem Exchange servers must be accessible from the internet, could you confirm that I can put my on-prem Exchange servers behind Azure AD Application proxy to expose URLs (EWS, EAS, etc) since I don't no longer need certificate authentication? My question mainly concerns Exchange ActiveSyne.
In order to test HMA, I use your script (https://gallery.technet.microsoft.com/office/Validating-Hybrid-Modern-ad4c2b16).
At the moment, I can't seem to have a working configuration. I have tried putting the Proxy App in passtrough but I have no better results yet.
However, if I test OAuth on on-prem or Online Exchange accounts, the test works successfully:
To EXO:
Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox user@mycompany.com -Verbose | Format-List
To on-prem:
Test-OAuthConnectivity -Service EWS -TargetUri https://webmail.mycompany.com/metadata/json/1 -Mailbox user@mycompany.com -Verbose | Format-List
Again, thanks a lot for your help as this is very critical for us to have a solid solution.
I really like the use of the backend authentication in M365 so HMA seems to really be the good solution.
Thierry