Overview

This blog covers MFA integration options for Exchange 2016 OWA for both internal and external requests. This blog focuses on Microsoft MFA solutions and does not cover any 3rd party MFA products for Microsoft Outlook Web Access (OWA).

Azure Multi-Factor Authentication

There are two versions of Azure Multi-Factor Authentication (MFA). Microsoft offers a purely cloud-based MFA solution and an on-premise MFA solution with Azure Multi-Factor Authentication Server. These versions offer a different a different set of features and are typically used to cover different deployment scenarios:

What are you trying to secure

MFA in the cloud

MFA Server

First-party Microsoft cloud-based apps

SaaS apps in the Azure app gallery

Web applications published through Azure AD App Proxy

On Premise IIS Applications (OWA)

Remote access such as VPN, RDG

Each MFA solution also offers different features which can align to distinct deployment scenarios. The table below provides a comparison of the features which are available with MFA in the cloud and MFA Server.

Below is a list of features for each solution.

Feature MFA in Cloud MFA Server
Phone call as second factor

X

X

Mobile app used for second factor

X

X

One-way SMS as second factor

X

X

Two-way SMS as the second factor
Hardware Token as second factor

X

App passwords for O365 clients that don’t support MFA

X

PIN mode

X

Use a backup phone

X

One time bypass

X

Block user

X

Requires additional license

X

X

Requires additional hardware

X

Hybrid Exchange

X

AD accounts in Azure AD

X

Windows Server AD accounts

X

  1. Azure MFA Server

    Azure MFA Server provides a robust MFA experience for on-premises services. By installing an Azure MFA server on premise, users will be able to utilize Azure AD MFA options when authenticating into Exchange 2016 OWA.

    This section covers the difference between the versions offered to administrators and the full Azure MFA version and specifies which features are available in each.

    Version Description
    Multi-Factor Authentication for Office 365 This version works exclusively with Office 365 applications and is managed from the Office 365 portal. Administrators can secure Office 365 resources with two-step verification. This version is part of an Office 365 subscription.
    Multi-Factor Authentication for Azure Administrators Global administrators of Azure tenants can enable two-step verification for their global admin accounts at no additional cost.
    Azure Multi-Factor Authentication Often referred to as the “full” version, Azure Multi-Factor Authentication offers the richest set of capabilities. It provides additional configuration options via the Azure classic portal, advanced reporting, and support for a range of on-premises and cloud applications. Azure Multi-Factor Authentication is included in Azure Active Directory Premium (P1 and P2 plans) and Enterprise Mobility + Security (E3 and E5 plans), and can be deployed either in the cloud or on premises.

    Feature Comparison of Versions

    The following table provides a list of the features that are available in the various versions of Azure Multi-Factor Authentication.

    Feature

    Multi-Factor Authentication for Office 365

    Multi-Factor Authentication for Azure Administrators

    Azure Multi-Factor Authentication

    Protect admin accounts with MFA

    (Global Administrator accounts only)

    Mobile app as a second factor

    Phone call as a second factor

    SMS as a second factor

    App passwords for clients that don’t support MFA

    Admin control over verification methods

    PIN mode

    Fraud alert

    MFA Reports

    One-Time Bypass

    Custom greetings for phone calls

    Custom caller ID for phone calls

    Trusted IPs

    Remember MFA for trusted devices

    MFA SDK

    (Requires Multi-Factor Auth Provider and full Azure subscription)

    MFA for on-premises applications

    MFA consumption-based model

    Azure MFA Providers are Azure resources that are billed against your Enterprise Agreement, Azure monetary commitment like all other Azure resources. These providers can only be created in full Azure subscriptions, not limited Azure subscriptions that have a $0 spending limit. Limited subscriptions are created when you activate licenses, like in options 1 and 2.

    When using an Azure Multi-Factor Authentication Provider, there are two usage models available that are billed through your Azure subscription:

    1. Per User – For enterprises that want to enable two-step verification for a fixed number of employees who regularly need authentication. Per-user billing is based on the number of users enabled for MFA in your Azure AD tenant and/or your Azure MFA Server. If users are enabled for MFA in both Azure AD and Azure MFA Server, and domain sync (Azure AD Connect) is enabled, then we count the larger set of users. If domain sync isn’t enabled, then we count the sum of all users enabled for MFA in Azure AD and Azure MFA Server. Billing is prorated and reported to the Commerce system daily.
      Note
      Billing example 1: You have 5,000 users enabled for MFA today. The MFA system divides that number by 31, and reports 161.29 users for that day. Tomorrow you enable 15 more users, so the MFA system reports 161.77 users for that day. By the end of the billing cycle, the total number of users billed against your Azure subscription adds up to around 5,000.
      Billing example 2: You have a mixture of users with licenses and users without, so you have a per-user Azure MFA Provider to make up the difference. There are 4,500 Enterprise Mobility + Security licenses on your tenant, but 5,000 users enabled for MFA. Your Azure subscription is billed for 500 users, prorated and reported daily as 16.13 users.
    2. Per Authentication – For enterprises that want to enable two-step verification for a large group of users who infrequently need authentication. Billing is based on the number of two-step verification requests received by the Azure MFA cloud service, regardless of whether those verifications succeed or are denied. This billing appears on your Azure usage statement in packs of 10 authentications, and is reported to the Commerce system daily.
      Note
      Billing example 3: Today, the Azure MFA service received 3,105 two-step verification requests. Your Azure subscription is billed for 310.5 authentication packs.

    It’s important to note that you can have Azure MFA licenses, but still get billed for consumption-based configuration. If you set up a per-authentication Azure MFA Provider, you are billed for every two-step verification request, even those done by users who have licenses. If you set up a per-user Azure MFA Provider on a domain that isn’t linked to your Azure AD tenant, you are billed per enabled user even if your users have licenses on Azure AD.

    To get the Azure MFA solution deployed within your organization there are several requirements that must be in place:

    OWA Authentication Design Solution

  • User’s phone number must be populated within Active Directory
  • Dedicated Windows Server R2 2012 server for Azure MFA
  • Office 365 licenses
    • EMS (Link – With E3 – $8.75 / With E5 – $15)
    • Azure Premium (Link – $6)
    • Azure Basic \ Microsoft Multi-Factor Authentication (Link – $1 \ $1.40)

End-users would be prompted for forms based authentication which in turn authenticates the users against Active Directory. As part of the authentication process, the end-user would be also be challenged by the Azure MFA server for the second authentication factor. Once the validation is approved, the user can access their mailbox via OWA.