Exchange 2016 and Hybrid Modern Auth (HMA)

Question

Exchange 2016 and Hybrid Modern Auth (HMA)

David Steinhart 1

Can you direct me to any official documentation from Microsoft regarding Exchange on-premises and securing access through Azure App Proxy? Specifically, I am trying to use Hybrid Modern Authentication (HMA) to secure Exchange on-premises. Much of the documentation out there states how to setup HMA but not how to expose the secure environment to end users. In my lab with Exchange 2016, I use Azure App Proxy exclusively and have port 443 completely blocked. I am able to get Outlook and Outlook Mobile to connect securely, or so it seems. The only auth method on virtual directories is OAUTH, or basic auth methods all set to $false. It is difficult to know what I should be recommending to clients when there seems to be missing pieces in the HMA guidelines/architecture. For example, here is the guide for enabling HMA: https://learn.microsoft.com/en-us/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication?view=o365-worldwide. The only reference that traffic should be NAT'ed through a firewall is the listing of 2 IP ranges towards the bottom of the article. If I am using Azure App Proxy for OWA, and allowing port 443 through my firewall, what is to keep a threat actor from typing https://1.2.3.4/owa and bypassing the Azure App Proxy protection for OWA? Is there a way to split up the name spaces or put exchange services on different public IP addresses that would provide protection?

David Steinhart 1 Reputation point

2022-01-06T05:00:00.977+00:00

In my lab I have Exchange 2016 with all CU and SU. Exchange Health Checker comes back all green.
In Azure, the only Azure App Proxy's in Azure AD Auth mode are OWA and ECP. All others are pass-through mode.
I am working with multiple other techs to determine what we recommend to clients, as many want this setup now.
While I have everything working through AAP, and no port 443 is allowed through the firewall, others have not been able to replicate this.
I have heard that MS only supports AAP with OWA. Everything else has to be NAT'ed through the firewall. How do these two work together without creating security holes?
David Steinhart 1 Reputation point

2022-03-03T04:21:25.897+00:00

I have not received anything from MS except that Azure App Proxy is only supported with OWA. Without MS helping me "close the knowledge gap" on how to secure the rest of the Exchange virtual directories without opening port 443 to the world, and thus allowing threat actors to hit the public IP of Exchange server and access OWA without going through AAP, I don't see a way to make this work. The only other way of securing all of this would be to put Exchange behind an SSL VPN connection (possibly secured with Azure MFA, but then what is the point of doing HMA?) and allowing only OWA over AAP, or maybe use a wildcard/UCC cert on exchange with each virtual directory having a different namespace (autodiscover, ecp, ews, activesync, oab, owa) and use some kind of reverse proxy like HAProxy that has the ability to do Server Name Indication (SNI) and allow specific named URL traffic through but not straight IP traffic. However, this is all super complicated to setup/maintain and/or super inconvenient for end users.
David Steinhart 1 Reputation point

2022-03-03T04:27:56.74+00:00

If I were to recommend HMA to a client, it would have to be Exchange 2019 which has the ability to disable legacy auth. Without this, it is tough to say if Exchange 2013/2016 would be secure as you cannot force disable legacy auth across a server with a single, easily monitorable/query-able command. You do a security or Cumulative update on Exchange 2013/2016 and it could blow away all of your carefully implemented virtual directory security settings. I would also have to stand up the new server outside of production so I can tinker with it until everything works as my Statement of Work advertised. I would NEVER try to implement this on a production server!

Interestingly, on Exchange 2016 if you open Powershell and run "add-pssnapin exch" and run "get-authenticationpolicy" it will show you data. You can even "new-authenticationpolicy" and disable all basic auth methods. You can take this and do "set-user myuser -authenticationpolicy" and set it on the user. The only thing you cannot do is "set-organizationconfig" and make it the default across the board. You get a error "An attempt was made to modify an object to include an attribute that is not legal for its class.". I have not really tested if this does anything, but maybe MS will back-port Exchange 2019 settings to Exchange 2016?
David Steinhart 1 Reputation point

2022-03-03T04:31:35.287+00:00

And just to re-iterate, I have my entire Exchange 2016 environment behind Azure App Proxy, no port 443 allowed through my firewall to Exchange, and it works fine. This is my lab and I am the only person using it, so I have no idea how it will behave under load, but it works fine for me. I have had my onprem account loaded on my Outlook mobile for months now with no issues. Send test emails all the time. I remove and re-add my account occasionally to make sure it still fully functions.
David Steinhart 1 Reputation point

2022-05-23T00:25:26.463+00:00

Exchange 2019 can be licensed via 365 Hybrid now. I migrated to 2019 for my 365 dev environment. Immediately enabled authentication policy on 2019 to disable all legacy/basic auth protocols. I worked on setting up Hybrid Modern Authentication (HMA) again. Everything is running through Azure AD App Proxy. I am refining this process, and here are some findings.

If not using Azure AD App Proxy to limit which virtual directories can be accessed and how they can be accessed, you will need some kind of load balancer/web proxy to control this. The only exception to this is allowing the AutoDetect to access on-prem exchange through standard NAT.

Start with the official MS HMA guide: https://learn.microsoft.com/en-us/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication?view=o365-worldwide

If on Exchange 2016, with no default auth policy possible, I would only have OAUTH as the auth method on all externally facing virtual directories. With Exchange 2019, you do not need to worry about this as long as your default auth policy is set and all user do not have a custom auth policy set.
David Steinhart 1 Reputation point

2022-05-23T00:25:51.127+00:00

Create a Win 10 VM via your preferred hypervisor, install updates, and install Office 365 desktop client. Turn off and snapshot. Turn it on and test HMA. You will want to test it from internal and external. You should get a modern auth prompt. If you complete this, your computer will be assigned a Primary Refresh Token (PRT) and it will be difficult to try to test again. The auth log in Azure will state that you have previously satisfied MFA. I have not figured out how to clear this out yet. Revert snapshot if you want to try again.

If you get a basic auth prompt, you have some troubleshooting to do. Test the HMA config with this: https://microsoft.github.io/CSS-Exchange/Hybrid/Test-HMAEAS/

Another reason for having a separate VM for troubleshooting HMA is that it is not going to be as "noisy" as your primary laptop. Use Fiddler Classic to capture traffic between Outlook and Exchange OnPrem for more insight.

The proper configuration for Outlook Mobile is not documented via Microsoft. Run this on your ActiveSync virtual directory.
Set-ActiveSyncVirtualDirectory -Identity "ROYALE12\Microsoft-Server-ActiveSync (Default Web Site)" -BasicAuthEnabled $false -ExternalAuthenticationMethods oauth -InternalAuthenticationMethods oauth
David Steinhart 1 Reputation point

2022-05-23T00:26:02.24+00:00

Here is an article that I found that details a problem I was not having, but the tools within directed me to my activesync vdir auth settings. It is an excellent read regarding some history of Outlook Mobile and how you can invoke the AutoDetect service against an email address and it will tell you all kinds of things. https://c7solutions.com/2021/05/outlook-autodetect-and-broken-autodiscover
Burhan Loqueman 1 Reputation point

2022-06-10T10:53:45.947+00:00

I too am looking into this now and found your comments helpful.

What I have now is pure Exchange 2016 on prem. We do have O365 and Azure AD App proxy in place and working.

The app proxy publishes exchange OWA/ECP using Azure Authentication and Kerberos impersonation via Windows Integrated Authentication to provide the MFA/conditional access we need there.

We use split DNS so the autodiscover for internal clients can be different for external clients.

ActiveSync is on pass through authentication, with device quarantine mode setup to provide "second factor" security (i.e. must be using an approved device and password for ActiveSync).

What I want to do is leave everything in place as it is internally (autodiscover and so on, authentication methods) for my internal clients, and ONLY apply MFA to the /MAPI or /RPC folders for Outlook Anywhere and the Outlook App.

So would it be possible to setup Classic Hybrid Mode and then HMA, and only turn on OAUTH for the /MAPI and/or /RPC folders on the 'published' Exchange servers, via the app proxy, on pass through. But then simply turn of the legacy auth methods for just that folder.

I want to avoid becoming reliant on HMA for all internal clients - but I do want teams calendar sharing/meeting booking to work from the teams client.
David Steinhart 1 Reputation point

2022-08-09T18:00:36.457+00:00

Is your port 443 allowed in externally at all? If so, try to hit your IP address with "/owa" to see if you get a non-MFA login prompt (with SSL warning of course).

I see what you did with split brain DNS there. Adds complexity, but shoudl work fine. On my Azure App Proxy server, I have the local hostfile setup with the actual internal IP addresses for anything it should be able to resolve. Everything else onprem hits the public CNAME for Azure App Proxy and has to do MFA.

For your ActiveSync, look up how to implement AutoDetect. This will do only allow MFA clients in automatically. Unless I am missing something?

I do not see why enabling OAUTH on specific virtual directories would be an issue. I recommend you setup a lab and implement this and do testing. Its the only way to know for sure because MS has zero documentation on this.
David Steinhart 1 Reputation point

2023-03-07T05:58:03.02+00:00

I continue to do testing and refinements to my lab environment to this day. OWA/ECP protected with MFA/Modern Auth with Azure App Proxy and IWS/Constrained Kerberos Delegation for Seamless SSO. Other virtual directories protected with OAUTH integration with Azure. Exchange 2019 Auth Policies set to block all basic auth protocols and set as the org default onprem. Where possible, virtual directories only have OAUTH2 auth protocol enabled. Outlook Mobile for IOS/Android secured with OAUTH and open to the world, per MS recommendation. HAProxy used as load balancer/reverse web proxy to stop threat actors from hitting the raw IP of my services and bypass Azure App Proxy; this basically requires SNI to access things and I determine what URLs can be accessed. You CANNOT do HMA with Modern Hybrid Agent to do free/busy and mailbox migrations through an Azure App Proxy based services. You must setup the Classic Hybrid config, enable basic auth on EWS virtual directory, create a EWS migration endpoint user with Enterprise Admin and Recipient Manageent permissions, create an auth policy that disabled all basic auth except EWS, apply Auth Policy to new user, and lock down firewall/load balancer/reverse web proxy to only accept connections from 365 ip ranges. Download Domains will not allow inline images to load in OWA and I have not found a fix. You can go to downloaddomain.domain.com and login and everything works fine but you are not supposed to do that as it defeats the purpose of Download Domains. All security updates installed (Feb23)

Your answer

David Steinhart 1 Reputation point

2022-01-06T05:00:00.977+00:00

In my lab I have Exchange 2016 with all CU and SU. Exchange Health Checker comes back all green.
In Azure, the only Azure App Proxy's in Azure AD Auth mode are OWA and ECP. All others are pass-through mode.
I am working with multiple other techs to determine what we recommend to clients, as many want this setup now.
While I have everything working through AAP, and no port 443 is allowed through the firewall, others have not been able to replicate this.
I have heard that MS only supports AAP with OWA. Everything else has to be NAT'ed through the firewall. How do these two work together without creating security holes?
David Steinhart 1 Reputation point

2022-03-03T04:21:25.897+00:00

I have not received anything from MS except that Azure App Proxy is only supported with OWA. Without MS helping me "close the knowledge gap" on how to secure the rest of the Exchange virtual directories without opening port 443 to the world, and thus allowing threat actors to hit the public IP of Exchange server and access OWA without going through AAP, I don't see a way to make this work. The only other way of securing all of this would be to put Exchange behind an SSL VPN connection (possibly secured with Azure MFA, but then what is the point of doing HMA?) and allowing only OWA over AAP, or maybe use a wildcard/UCC cert on exchange with each virtual directory having a different namespace (autodiscover, ecp, ews, activesync, oab, owa) and use some kind of reverse proxy like HAProxy that has the ability to do Server Name Indication (SNI) and allow specific named URL traffic through but not straight IP traffic. However, this is all super complicated to setup/maintain and/or super inconvenient for end users.
David Steinhart 1 Reputation point

2022-03-03T04:27:56.74+00:00

If I were to recommend HMA to a client, it would have to be Exchange 2019 which has the ability to disable legacy auth. Without this, it is tough to say if Exchange 2013/2016 would be secure as you cannot force disable legacy auth across a server with a single, easily monitorable/query-able command. You do a security or Cumulative update on Exchange 2013/2016 and it could blow away all of your carefully implemented virtual directory security settings. I would also have to stand up the new server outside of production so I can tinker with it until everything works as my Statement of Work advertised. I would NEVER try to implement this on a production server!

Interestingly, on Exchange 2016 if you open Powershell and run "add-pssnapin exch" and run "get-authenticationpolicy" it will show you data. You can even "new-authenticationpolicy" and disable all basic auth methods. You can take this and do "set-user myuser -authenticationpolicy" and set it on the user. The only thing you cannot do is "set-organizationconfig" and make it the default across the board. You get a error "An attempt was made to modify an object to include an attribute that is not legal for its class.". I have not really tested if this does anything, but maybe MS will back-port Exchange 2019 settings to Exchange 2016?
David Steinhart 1 Reputation point

2022-03-03T04:31:35.287+00:00

And just to re-iterate, I have my entire Exchange 2016 environment behind Azure App Proxy, no port 443 allowed through my firewall to Exchange, and it works fine. This is my lab and I am the only person using it, so I have no idea how it will behave under load, but it works fine for me. I have had my onprem account loaded on my Outlook mobile for months now with no issues. Send test emails all the time. I remove and re-add my account occasionally to make sure it still fully functions.
David Steinhart 1 Reputation point

2022-05-23T00:25:26.463+00:00

Exchange 2019 can be licensed via 365 Hybrid now. I migrated to 2019 for my 365 dev environment. Immediately enabled authentication policy on 2019 to disable all legacy/basic auth protocols. I worked on setting up Hybrid Modern Authentication (HMA) again. Everything is running through Azure AD App Proxy. I am refining this process, and here are some findings.

If not using Azure AD App Proxy to limit which virtual directories can be accessed and how they can be accessed, you will need some kind of load balancer/web proxy to control this. The only exception to this is allowing the AutoDetect to access on-prem exchange through standard NAT.

Start with the official MS HMA guide: https://learn.microsoft.com/en-us/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication?view=o365-worldwide

If on Exchange 2016, with no default auth policy possible, I would only have OAUTH as the auth method on all externally facing virtual directories. With Exchange 2019, you do not need to worry about this as long as your default auth policy is set and all user do not have a custom auth policy set.
David Steinhart 1 Reputation point

2022-05-23T00:25:51.127+00:00

Create a Win 10 VM via your preferred hypervisor, install updates, and install Office 365 desktop client. Turn off and snapshot. Turn it on and test HMA. You will want to test it from internal and external. You should get a modern auth prompt. If you complete this, your computer will be assigned a Primary Refresh Token (PRT) and it will be difficult to try to test again. The auth log in Azure will state that you have previously satisfied MFA. I have not figured out how to clear this out yet. Revert snapshot if you want to try again.

If you get a basic auth prompt, you have some troubleshooting to do. Test the HMA config with this: https://microsoft.github.io/CSS-Exchange/Hybrid/Test-HMAEAS/

Another reason for having a separate VM for troubleshooting HMA is that it is not going to be as "noisy" as your primary laptop. Use Fiddler Classic to capture traffic between Outlook and Exchange OnPrem for more insight.

The proper configuration for Outlook Mobile is not documented via Microsoft. Run this on your ActiveSync virtual directory.
Set-ActiveSyncVirtualDirectory -Identity "ROYALE12\Microsoft-Server-ActiveSync (Default Web Site)" -BasicAuthEnabled $false -ExternalAuthenticationMethods oauth -InternalAuthenticationMethods oauth
David Steinhart 1 Reputation point

2022-05-23T00:26:02.24+00:00

Here is an article that I found that details a problem I was not having, but the tools within directed me to my activesync vdir auth settings. It is an excellent read regarding some history of Outlook Mobile and how you can invoke the AutoDetect service against an email address and it will tell you all kinds of things. https://c7solutions.com/2021/05/outlook-autodetect-and-broken-autodiscover
Burhan Loqueman 1 Reputation point

2022-06-10T10:53:45.947+00:00

I too am looking into this now and found your comments helpful.

What I have now is pure Exchange 2016 on prem. We do have O365 and Azure AD App proxy in place and working.

The app proxy publishes exchange OWA/ECP using Azure Authentication and Kerberos impersonation via Windows Integrated Authentication to provide the MFA/conditional access we need there.

We use split DNS so the autodiscover for internal clients can be different for external clients.

ActiveSync is on pass through authentication, with device quarantine mode setup to provide "second factor" security (i.e. must be using an approved device and password for ActiveSync).

What I want to do is leave everything in place as it is internally (autodiscover and so on, authentication methods) for my internal clients, and ONLY apply MFA to the /MAPI or /RPC folders for Outlook Anywhere and the Outlook App.

So would it be possible to setup Classic Hybrid Mode and then HMA, and only turn on OAUTH for the /MAPI and/or /RPC folders on the 'published' Exchange servers, via the app proxy, on pass through. But then simply turn of the legacy auth methods for just that folder.

I want to avoid becoming reliant on HMA for all internal clients - but I do want teams calendar sharing/meeting booking to work from the teams client.
David Steinhart 1 Reputation point

2022-08-09T18:00:36.457+00:00

Is your port 443 allowed in externally at all? If so, try to hit your IP address with "/owa" to see if you get a non-MFA login prompt (with SSL warning of course).

I see what you did with split brain DNS there. Adds complexity, but shoudl work fine. On my Azure App Proxy server, I have the local hostfile setup with the actual internal IP addresses for anything it should be able to resolve. Everything else onprem hits the public CNAME for Azure App Proxy and has to do MFA.

For your ActiveSync, look up how to implement AutoDetect. This will do only allow MFA clients in automatically. Unless I am missing something?

I do not see why enabling OAUTH on specific virtual directories would be an issue. I recommend you setup a lab and implement this and do testing. Its the only way to know for sure because MS has zero documentation on this.
David Steinhart 1 Reputation point

2023-03-07T05:58:03.02+00:00

I continue to do testing and refinements to my lab environment to this day. OWA/ECP protected with MFA/Modern Auth with Azure App Proxy and IWS/Constrained Kerberos Delegation for Seamless SSO. Other virtual directories protected with OAUTH integration with Azure. Exchange 2019 Auth Policies set to block all basic auth protocols and set as the org default onprem. Where possible, virtual directories only have OAUTH2 auth protocol enabled. Outlook Mobile for IOS/Android secured with OAUTH and open to the world, per MS recommendation. HAProxy used as load balancer/reverse web proxy to stop threat actors from hitting the raw IP of my services and bypass Azure App Proxy; this basically requires SNI to access things and I determine what URLs can be accessed. You CANNOT do HMA with Modern Hybrid Agent to do free/busy and mailbox migrations through an Azure App Proxy based services. You must setup the Classic Hybrid config, enable basic auth on EWS virtual directory, create a EWS migration endpoint user with Enterprise Admin and Recipient Manageent permissions, create an auth policy that disabled all basic auth except EWS, apply Auth Policy to new user, and lock down firewall/load balancer/reverse web proxy to only accept connections from 365 ip ranges. Download Domains will not allow inline images to load in OWA and I have not found a fix. You can go to downloaddomain.domain.com and login and everything works fine but you are not supposed to do that as it defeats the purpose of Download Domains. All security updates installed (Feb23)

Share via

Exchange 2016 and Hybrid Modern Auth (HMA)

Your answer