Certificate based authentication for Exchange ActiveSync on-prem through Azure

Thierry Eppner 1 Reputation point

Hi everyone,

I am trying to find the best possible architecture to secure access to my Exchange servers and I need your help.
I have read and re-read tons and tons of documentation and I can not find the best option and above all, one supported in production by Microsoft.

Until today, we have used Microsoft TMG to protect access to our on-prem Exchange servers. As this solution has not been supported for a long time, I would like to replace it. To do so, I configured Azure AD and the synchronization of our Active Directory with Azure AD Connect. I have already migrated all of my +1500 users from Skype for Business to Teams, everything is working great. I have also configured SSO through Azure AD Connect and Exchange Hybrid Configuration. I have Exchange 2013 that I will migrate to Exchange 2019 in the next few weeks (maybe after Christmas Holidays, haha).

So now I would like to find a solution to replace my TMGs.

My imperatives are to keep on-prem Exchange servers and to keep certificate authentication for ActiveSync. Mobile phones are managed through Intune with which I push the certificates. I have Microsoft E3 licenses for all of my users. I also want to protect access to OWA and enable MFA (I've already been able to do that with Azure AD Application Proxy).

So I still have to find a solution to be able to authenticate my ActiveSync users by certificate in Azure in order to continue not to expose my Exchange servers to the Internet. Maybe it's this possible with Hybrid Modern Authentication through Azure App Proxy? I can't find a correct answer to my questions...

Which solution do you think is the best to complete this job?

Thanks a LOT for your help.


Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,304 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,427 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,950 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,094 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Lucas Liu-MSFT 6,161 Reputation points

    Hi @Thierry Eppner ,
    I agree with what MarileeTruscak said.
    You could following the steps in below link to set up the certificate-based authentication for Exchange ActiveSync.
    Please refer to: Azure Active Directory certificate-based authentication on Android and Azure Active Directory certificate-based authentication on iOS


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Marilee Turscak-MSFT 35,616 Reputation points Microsoft Employee

    Hi @Thierry Eppner ,

    This is the response I got from the product group:

    Azure AD Application Proxy does not support client certificate authentication, however Web Application Proxy does. Independent from this the best solution is to migrate to Exchange Online (which the Exchange/M365 Team can help with).

    0 comments No comments

  3. Thierry Eppner 1 Reputation point

    Hello @MarileeTurscak,

    Thank you for your answer and for asking the product team.

    After multiple discussions with the security team, we would agree to do without certificate authentication if I can use Azure AD Application proxy in order to benefit from Conditional Access and thus be able to block certain non-compliant devices in Intunes, for example.

    Therefore, it seems that the best option for me is to use Hybrid Modern Authentication (Oauth) to identify my users in the cloud, whether they are on-prem or on EXO.

    Can you first confirm that my thinking is correct?

    To configure HMA, my on-prem Exchange servers must be accessible from the internet, could you confirm that I can put my on-prem Exchange servers behind Azure AD Application proxy to expose URLs (EWS, EAS, etc) since I don't no longer need certificate authentication? My question mainly concerns Exchange ActiveSyne.

    In order to test HMA, I use your script (https://gallery.technet.microsoft.com/office/Validating-Hybrid-Modern-ad4c2b16).
    At the moment, I can't seem to have a working configuration. I have tried putting the Proxy App in passtrough but I have no better results yet.

    However, if I test OAuth on on-prem or Online Exchange accounts, the test works successfully:

    To EXO:
    Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox user@mycompany.com -Verbose | Format-List

    To on-prem:
    Test-OAuthConnectivity -Service EWS -TargetUri https://webmail.mycompany.com/metadata/json/1 -Mailbox user@mycompany.com -Verbose | Format-List

    Again, thanks a lot for your help as this is very critical for us to have a solid solution.
    I really like the use of the backend authentication in M365 so HMA seems to really be the good solution.