This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 16%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENM%3C/text%3E%3C/svg%3E)
Hello Microsoft,
We are looking to publish our ActiveSync from on-premises Exchange using the Azure AD Application Proxy. Our goal is to enable MFA and use conditional access policies onto ActiveSync.
Is this type of setup supported now? I've seen some older posts indicating that it was not supported by the Exchange team, I was wondering what is the consensus now.
Thanks
From what I understand, you can use Pass through auth to do this:
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-faq
I would also look at HMA:
Exchange ActiveSync clients (e.g., iOS11 Mail)
Exchange ActiveSync
For Exchange ActiveSync clients that support modern authentication, you must recreate the profile in order to switch from basic authentication to modern authentication.
Hi AndyDavid,
We currently have Azure AD Premium P2 licenses only. The Pass through auth is free.
As for the HMA, that will only work if we have a 365 subscription that includes Exchange Online. Is that correct?
Thanks for the links!
yes, a 365 subscription is used for the hybrid piece. Just throwing it out there as an option :)
Got it.
Thanks AndyDavid!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 1%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPO%3C/text%3E%3C/svg%3E)
Do you know if HMA works when ActiveSync is published through azure ad app proxy?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 46%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERE%3C/text%3E%3C/svg%3E)
@Nelson Ma Did you manage to achieve your goal with Pass Through or HMA?
I have exactly this challenge, however the end user device is iOS and the mailbox is to be accessed through the native mail app (Basic Auth). How do I present EAS auto discovery url externally through App Proxy?
Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 51%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECA%3C/text%3E%3C/svg%3E)
Anyone ever figure this out? I have an onprem exchange server working fine for OWA through azure app proxy. However, I want to fully remove access from the outside to my exchange server except through the app proxy but activesync and outlook anywhere break.