Set up Active Directory Federation Services (ADFS)Ĭustomers need to install and configure ADFS in the environment to allow Exchange clients to use Forms authentication (OAuth) to connect to Exchange Server. The following steps to configure Modern auth using ADFS are applicable only for non-Exchange Hybrid (pure on-premises) customers. Hybrid customers using HMA can leave the values of the BlockModernAuth* parameters at 0 to continue using HMA. No new authentication policy required for Exchange Hybrid customersĮxisting Exchange Hybrid customers should use Hybrid Modern Auth. This means that customers using HMA don't need to change their pre-existing auth policies. Running /PrepareAD with Setup is required to add several new authentication policy parameters to Exchange Server.Īfter installing CU13, any pre-existing auth policies (including the default authentication policy) will have the above parameters disabled. Blocking Modern auth is used to ensure clients that don’t support Modern auth can still connect. You may also need Web Application Proxy Server (on Windows Server 2019 or later) to enable client access from outside corporate network.Ĭonfiguring Modern auth is supported only on Exchange Server 2019 CU13 and later.Įxchange 2019 CU13 adds support for new authentication policies to allow or block Modern auth at user level. To enable Modern auth in an on-premises Exchange environment, Active Directory Federation Services (ADFS) on Windows Server 2019 or later is required. To use Modern auth, all servers used for client connections must have Exchange Server 2019 CU13 installed. Prerequisites to enable Modern Authentication in Exchange Exchange Server 2019 CU13 or later Refer to the guidance on using new auth policies. HMA using Azure AD is the preferred solution. Only Exchange 2019 servers can be used as Front-End (Client Access) Servers. On-premises Exchange organization with mix of Exchange Server 2019 and Exchange Server 2016 On-premises Exchange organization with mix of Exchange Server 2019, Exchange Server 2016, and Exchange Server 2013 On-premises Exchange organization with only Exchange Server 2019 Refer to the following table to evaluate if this feature is applicable for you. Steps 3b, 4b occur when Modern auth is disabled for a user. In the above chart, steps 3a, 4a, 5a and 6a take place when Modern auth is enabled for the end user. The following diagram illustrates the coordination between Exchange Server, ADFS and Outlook to authenticate a user using Modern auth. These access tokens are validated by Exchange Server to provide client access to the user’s mailbox. Once ADFS authenticates a user, it generates access tokens. Users can then authenticate by providing credentials or performing multi-factor authentication. When Modern auth is enabled for a user, their Outlook client is redirected to ADFS. With Modern auth, users can authenticate to Exchange using ADFS. How will Modern Authentication work and is this feature applicable to me? This new feature allows Modern auth use by customers who don’t have Azure AD or aren't in an Exchange Hybrid configuration. In fact, HMA is still the only recommended method to enable Modern auth for all on-premises and cloud users in an Exchange Hybrid configuration. Modern auth in Exchange Server 2019 shouldn't be confused with Hybrid Modern Authentication, which uses Azure AD for modern authentication. Initially, this feature is available only for Outlook on Windows, but support for modern auth will be added to other Outlook clients in the future. To use modern auth, users need clients (Outlook or any other native OS clients) that support Modern auth using ADFS. This document provides the prerequisites and steps to enable this feature. With the release of Exchange Server 2019 CU13, Exchange Server supports OAuth 2.0 (also known as Modern authentication) for pure on-premises environments using ADFS as a security token service (STS).
0 Comments
Leave a Reply. |