This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi everyone,
I am trying to find the best possible architecture to secure access to my Exchange servers and I need your help.
I have read and re-read tons and tons of documentation and I can not find the best option and above all, one supported in production by Microsoft.
Until today, we have used Microsoft TMG to protect access to our on-prem Exchange servers. As this solution has not been supported for a long time, I would like to replace it. To do so, I configured Azure AD and the synchronization of our Active Directory with Azure AD Connect. I have already migrated all of my +1500 users from Skype for Business to Teams, everything is working great. I have also configured SSO through Azure AD Connect and Exchange Hybrid Configuration. I have Exchange 2013 that I will migrate to Exchange 2019 in the next few weeks (maybe after Christmas Holidays, haha).
So now I would like to find a solution to replace my TMGs.
My imperatives are to keep on-prem Exchange servers and to keep certificate authentication for ActiveSync. Mobile phones are managed through Intune with which I push the certificates. I have Microsoft E3 licenses for all of my users. I also want to protect access to OWA and enable MFA (I've already been able to do that with Azure AD Application Proxy).
So I still have to find a solution to be able to authenticate my ActiveSync users by certificate in Azure in order to continue not to expose my Exchange servers to the Internet. Maybe it's this possible with Hybrid Modern Authentication through Azure App Proxy? I can't find a correct answer to my questions...
Which solution do you think is the best to complete this job?
Thanks a LOT for your help.
Cheers,
Thierry
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
I believe that Azure AD App proxy with ActiveSync would be a good solution for you.
This article shows for how it compares to TMG, but as you pointed out says that certificate-based is not supported. This article shows how to set it up using ActiveSync as you described and also says:
"Certificate-Based Authentication supports only Federated environments by using Modern Authentication (ADAL). The one exception is Exchange ActiveSync (EAS) for Exchange Online that can be used by Managed Accounts."
I'm checking in with the product team to get more clarity on this and see if additional guidance exists.
Hello @Lucas Liu-MSFT and @MarileeTurscak,
Thank you for your answers.
If I understand correctly, knowing that this configuration is only supported in federated environments, I have to create an AD FS farm and change my authentication method in Azure AD Connect to switch from "Password Hash Synchronization" to "Federation with AD FS" ?
It will therefore look like this architecture.
Then Azure AD App Proxy is useless? Or can I replace Web Application Proxy with Azure AD App proxy to publish AD FS ?
Thank you again
Regards,
Thierry
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 22%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELL%3C/text%3E%3C/svg%3E)
Hi @Thierry Eppner ,
I agree with what MarileeTruscak said.
You could following the steps in below link to set up the certificate-based authentication for Exchange ActiveSync.
Please refer to: Azure Active Directory certificate-based authentication on Android and Azure Active Directory certificate-based authentication on iOS
----------
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Thierry Eppner ,
Do suggestions above help? If the issue has been resolved, please click “Accept as answer” to mark helpful reply as an answer, this will make answer searching in the forum easier and be beneficial to other community members as well.
Thanks for your understanding.
----------
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Thierry Eppner ,
I am writing here to confirm with you how thing going now? If the above suggestion helps, please click “Accept as answer” to mark helpful reply as an answer.Your action would be helpful to other users who encounter the same issue and read this thread.
Thanks for your understanding.
----------
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Thierry Eppner ,
This is the response I got from the product group:
Azure AD Application Proxy does not support client certificate authentication, however Web Application Proxy does. Independent from this the best solution is to migrate to Exchange Online (which the Exchange/M365 Team can help with).
Hello @MarileeTurscak,
Thank you for your answer and for asking the product team.
After multiple discussions with the security team, we would agree to do without certificate authentication if I can use Azure AD Application proxy in order to benefit from Conditional Access and thus be able to block certain non-compliant devices in Intunes, for example.
Therefore, it seems that the best option for me is to use Hybrid Modern Authentication (Oauth) to identify my users in the cloud, whether they are on-prem or on EXO.
Can you first confirm that my thinking is correct?
To configure HMA, my on-prem Exchange servers must be accessible from the internet, could you confirm that I can put my on-prem Exchange servers behind Azure AD Application proxy to expose URLs (EWS, EAS, etc) since I don't no longer need certificate authentication? My question mainly concerns Exchange ActiveSyne.
In order to test HMA, I use your script (https://gallery.technet.microsoft.com/office/Validating-Hybrid-Modern-ad4c2b16).
At the moment, I can't seem to have a working configuration. I have tried putting the Proxy App in passtrough but I have no better results yet.
However, if I test OAuth on on-prem or Online Exchange accounts, the test works successfully:
To EXO:
Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox user@mycompany.com -Verbose | Format-List
To on-prem:
Test-OAuthConnectivity -Service EWS -TargetUri https://webmail.mycompany.com/metadata/json/1 -Mailbox user@mycompany.com -Verbose | Format-List
Again, thanks a lot for your help as this is very critical for us to have a solid solution.
I really like the use of the backend authentication in M365 so HMA seems to really be the good solution.
Thierry
Hi @Thierry Eppner ,
According to my research, Hybrid Modern Authentication can be deployed for Exchange server on-premises hybrid deployments.
For more information you could refer to: How to configure Exchange Server on-premises to use Hybrid Modern Authentication
During the deployment process, you can Add on-premises web service URLs as Service Principal Names (SPNs) in Azure AD. For the Azure AD Application you are involved in, it is recommended that you contact the application provider for more configuration information.
----------
If the response is helpful, please click "Accept Answer" and upvote it.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 1%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPO%3C/text%3E%3C/svg%3E)
Dear Thierry, were you able to configure HMA when Exchange on-prem services were published through azure ad application proxy?
Regards,
Przemek