Thank you for your answer and for asking the product team.
After multiple discussions with the security team, we would agree to do without certificate authentication if I can use Azure AD Application proxy in order to benefit from Conditional Access and thus be able to block certain non-compliant devices in Intunes, for example.
Therefore, it seems that the best option for me is to use Hybrid Modern Authentication (Oauth) to identify my users in the cloud, whether they are on-prem or on EXO.
Can you first confirm that my thinking is correct?
To configure HMA, my on-prem Exchange servers must be accessible from the internet, could you confirm that I can put my on-prem Exchange servers behind Azure AD Application proxy to expose URLs (EWS, EAS, etc) since I don't no longer need certificate authentication? My question mainly concerns Exchange ActiveSyne.
In order to test HMA, I use your script (https://gallery.technet.microsoft.com/office/Validating-Hybrid-Modern-ad4c2b16).
At the moment, I can't seem to have a working configuration. I have tried putting the Proxy App in passtrough but I have no better results yet.
However, if I test OAuth on on-prem or Online Exchange accounts, the test works successfully:
Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox email@example.com -Verbose | Format-List
Test-OAuthConnectivity -Service EWS -TargetUri https://webmail.mycompany.com/metadata/json/1 -Mailbox firstname.lastname@example.org -Verbose | Format-List
Again, thanks a lot for your help as this is very critical for us to have a solid solution.
I really like the use of the backend authentication in M365 so HMA seems to really be the good solution.
Hello @Lucas Liu-MSFT and @MarileeTurscak,
Thank you for your answers.
If I understand correctly, knowing that this configuration is only supported in federated environments, I have to create an AD FS farm and change my authentication method in Azure AD Connect to switch from "Password Hash Synchronization" to "Federation with AD FS" ?
It will therefore look like this architecture.
Then Azure AD App Proxy is useless? Or can I replace Web Application Proxy with Azure AD App proxy to publish AD FS ?
Thank you again