MFA on premises Exchange 2016
Question
Friday, June 2, 2017 11:35 AM
Hi,I see a lot of stuff on here relating to older versions of Exchange so apologies if this has been covered.
I have my licensing sorted through the Office 365 centre where I can allocated licenses to our staff. I've tested with the my admin access to the admin site and it works fine.
I want to enable MFA on my premises EX2016 server so I've installed the server on the same box as Exchange (this right?)
I'm wary of installing the Client portal as I've read some issues with it messing with the OWA IIS settings. I've followed these instructions but they are for 2013
is there anything I should know about 2016 which differs?
Finally (sorry) Will the settings on the server replicate to the cloud or are they separate? I'm running a hybrid system with mailboxes in both.
Many thanks for any replies
All replies (4)
Monday, June 5, 2017 4:43 PM ✅Answered
Regarding the article you link to, you don't necessarily need to create an Azure MFA Provider. That is one of the options, but the other options are to purchase standalone MFA licenses or to purchase Azure AD Premium or EMS. The options are described at /en-us/azure/multi-factor-authentication/multi-factor-authentication-versions-plans#how-to-get-azure-multi-factor-authentication-1.
Also, the article explains how to configure MFA Server to use IIS authentication. However, while that option will work, it isn't preferred or recommended. Here are all of the options to secure OWA on-premises.
- Publish OWA using Azure AD App Proxy (/en-us/azure/active-directory/active-directory-application-proxy-publish). This allows you to either use cloud-based MFA with Azure AD (https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-get-started-cloud/) or to use MFA Server with ADFS (https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-get-started-adfs-w2k12/). Using Azure AD App Proxy requires Azure AD Basic or Azure AD Premium.
2. Configure OWA for claims-based auth to ADFS. Use MFA Server to secure ADFS. This requires Exchange 2013 or higher.
3. Use MFA Server’s IIS authentication on the OWA server to secure OWA (https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-get-started-server-iis/). We have customers securing OWA with Azure MFA Server in this way, but please note that this option is not recommended by the Exchange team and from their perspective is unsupported. Also, this feature of MFA Server is planned for deprecation in the near future.
4. If using a reverse proxy such as F5 in front of OWA that can do pre-authenticate via RADIUS or LDAP, you can point the RADIUS at MFA Server (/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-radius) or at NPS for cloud-based MFA (/en-us/azure/multi-factor-authentication/multi-factor-authentication-nps-extension). You can also use LDAP (/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-ldap) authentication to MFA Server.
Tuesday, June 6, 2017 4:22 PM ✅Answered
Yes, you can use either MFA Server or our new NPS extension (which uses cloud-based MFA) to secure RD Gateway via RADIUS. Documentation on using the NPS extension is at /en-us/azure/multi-factor-authentication/multi-factor-authentication-nps-extension.
Monday, June 5, 2017 9:22 PM
Thanks for the reply, very helpful info.
I'd like to use MFA for securing my RDweb server too which is on the same network.
I would like to use the Azure AD Proxy if possible with both of them, is this possible?
Thursday, June 15, 2017 3:00 PM
We cant afford the azure premium licenses at present so number 1 is out, number 3 isn't recommended so I don't want to waste time on that. I haven't got a price for AAD Basic yet but the MFA licenses cost was minimal so I was okay with that.
I was hoping I wouldn't have to install loads of stuff to get this working but ADFS sounds like the way to go.
Would I need to install ADFS on a new server or can it sit happily on a DC?