Exchange Modern

Authentication
Prepared by: Elie Karkafy
 Introduction 3
Hybrid Modern Authentication prerequisites 4
Enable Exchange Hybrid Deployment Feature 4
Exchange Hybrid Configuration Wizard 9

Hybrid Modern Authentication Diagram 31

Advantages of Modern Authentication 32
How to configure Hybrid Modern Authentication 32
Step 1: Enable modern authentication in Exchange Online 32
Step 2: Get virtual directory URLs 33
Step 3: Get Exchange related SPNs 35
Step 4: Add on‐premises web service URLs as SPNs 36
Step 5: Verify Exchange related SPNs 36
Step 6: Verify OAuth virtual directories 37
Step 7: Confirm EvoSTS auth server object is present 39
Step 8: Enable Hybrid Modern Authentication 39
Step 9: Restart Internet Information Services 39
Step 10: Outlook Registry requirements 40
Step 11: Disable basic authentication with Conditional Access 42

Verify the work 49

Risks and Roll Back Plan 50

2 Exchange Modern Authentication

Introduction
All mailboxes are in Exchange on‐premises. It’s because of company policies. Now that we have mailboxes on‐
premises, we like the users to authenticate with modern authentication instead of the default basic authentication.

Amanda has a mailbox on‐premises, and we can verify that she is connecting with basic authentication in the
Outlook desktop application.

Start Outlook. Hold down the CTRL key and right‐click on the Outlook client in the Windows system tray. Click
Connection Status. In the Authn (authentication) column, you will see Nego* or NTLM as the authentication scheme.
It means you use basic authentication.

How to enable Hybrid Modern Authentication (HMA) in Exchange Server on‐premises? We want to secure the
Exchange on‐premises organization with modern authentication instead of basic authentication. This way, for
example we can use MFA for on‐premises user mailboxes and not only for user mailboxes in the cloud. In this
document, we will learn how to configure Hybrid Modern Authentication step by step in Exchange on‐premises.

3
Exchange Modern Authentication
 Hybrid Modern Authentication prerequisites
Before you start to configure Hybrid Modern Authentication, ensure that you did go through these steps:

1. Enable Exchange Hybrid Deployment Feature in Azure AD Connect

2. Configure Exchange Hybrid Configuration Wizard
3. Install the latest Cumulative Update on Exchange Server 2016

Hybrid Modern Authentication is not supported with the Hybrid Agent. You will need to leverage the Classic
Exchange Hybrid Topology and publish AutoDiscover, EWS, ActiveSync, MAPI, and OAB endpoints for Hybrid Modern
Authentication to function with various Outlook clients.

Note: Exchange OWA (Outlook Web Access) and ECP (Exchange Control Panel) do not work with modern
authentication

Enable Exchange Hybrid Deployment Feature

Assumptions

1. AD Connect is already syncing with Azure AD

2. AD Connect was installed after you had Exchange installed and AD schemer extended as part of Exchange
installation

Enable sync of exchange attributes to Exchange Online

As part of enabling hybrid to exchange you will need to enable the synchronization of the on‐premises exchange AD
attributes to Office365

These are the steps to enable the sync of exchange attributes within AD Connect

4 Exchange Modern Authentication

1. Launch AD Connect tool and click configure

2. Click customize synchronizing options

5
Exchange Modern Authentication
 3. Enter a global Azure AD admin credentials

4. Leave these settings and click next (confirm your Active Directory Forest)

6 Exchange Modern Authentication

5. Leave these settings and click next

6. On this screen you want to select Exchange hybrid deployment, click next

7
Exchange Modern Authentication
 7. Click configure

8. Now perform a full Import / Full synchronization / Export to replicate the exchange attributes to Office365
Run the following PowerShell command to start this:

8 Exchange Modern Authentication

 You should now see you’re on‐premises exchange mail enabled objects in Office365:

Login to your exchange online admin center – Select recipients / Contacts

They are represented as contacts in exchange online as below. Once you migrate a mailbox to exchange
online, it will then show up under mailboxes

Exchange Hybrid Configuration Wizard

It’s good to know that you can configure one or more Exchange Servers for Hybrid. Open port 25 and 443 on the
Exchange Servers. These Exchange Servers need to be Client Access Servers (CAS). In this example, we will use
Exchange Servers EX01‐2016 and EX02‐2016 for Hybrid.

Exchange Servers up to date

Make sure that the Exchange Servers are on the latest version. Run Exchange Management Shell as administrator
and run the Get‐ExchangeServer cmdlet to check the Exchange Server versions. Always keep the Exchange Servers
up to date.

9
Exchange Modern Authentication
 Enable MRS proxy

We recommend that you complete this step before running the HCW to ensure the IIS cache has time to clear before
HCW validates the endpoint.

Run the Get‐WebServicesVirtualDirectory cmdlet to check if MRS proxy is enabled.

If it’s not enabled, enable the Mailbox Replication service (MRS) proxy on the EWS virtual directory.

[PS] C:\>Get‐WebServicesVirtualDirectory ‐ADPropertiesOnly | Where {$_.MRSProxyEnabled ‐ne $true} | Set‐

WebServicesVirtualDirectory ‐MRSProxyEnabled $true

Another way to enable MRS proxy is with Exchange Admin Center.

Go to servers > virtual directories. Select All Servers and select EWS to filter on that type. Double‐click on the EWS
virtual directory in the list view.

10 Exchange Modern Authentication

Click on general and Enable MRS Proxy endpoint. Do this for both the Exchange Servers.

Remove previous Hybrid Configuration Wizard version

Go to Programs and Features in Control Panel and verify that a previous Hybrid Configuration Wizard is not already
installed. If it is, uninstall it.

In the next step, you will download and install Office 365 Hybrid Configuration Wizard step by step.

11
Exchange Modern Authentication
 Download Hybrid Configuration Wizard

You can run the Hybrid Configuration Wizard from other Windows Servers or a workstation. We recommend signing
in on an Exchange Server and install the HCW directly on the Exchange Server.

Start Internet Explorer and copy‐paste the link https://aka.ms/HybridWizard (Microsoft). If you use other web
browsers, it might not work as expected. That’s why we recommend using Internet Explorer.

Install Hybrid Configuration Wizard

After you download the Hybrid Configuration Wizard setup, click Install.

The Microsoft Office 365 Hybrid Configuration Wizard installer is running.

12 Exchange Modern Authentication

Run Hybrid Configuration Wizard

After downloading and installing, the first screen of the wizard shows up. Click next

13
Exchange Modern Authentication
 The Hybrid Configuration Wizard will detect the optimal Exchange Server. Click on next.

14 Exchange Modern Authentication

Change the on‐premises Exchange administrator account credentials if you want. In our example, we will keep the
same user that’s logged in. Click sign in and enter the Office 365 Exchange Online Account. Click next.

15
Exchange Modern Authentication
 It will gather both accounts’ information and check if it can connect to Exchange on‐premises and Exchange Online.
Click next.

16 Exchange Modern Authentication

Choose Full Hybrid Configuration and select the checkbox Organization Configuration Transfer.

17
Exchange Modern Authentication
 Do you want to keep mailboxes on‐premises? Choose Exchange Classic Hybrid Topology because you want to
configure Hybrid Modern Authentication in Exchange on‐premises.

Note: Hybrid Modern Authentication with Exchange Modern Hybrid Topology (Hybrid Agent) is not supported.

18 Exchange Modern Authentication

Exchange Online will use the credentials to connect to your on‐premises Exchange Server to move mailbox data to
the cloud. It means that it will go to need some special privileges. If you enter your administrator account credentials
here, it will work.

19
Exchange Modern Authentication
 Select Configure my Client Access and Mailbox servers for secure mail transport (typical). If you have an Edge
Transport server, use the second option. Click next.

20 Exchange Modern Authentication

Choose both Exchange Servers for the receive connector. Click next.

21
Exchange Modern Authentication
 Choose both Exchange Servers for the send connector. Click next.

22 Exchange Modern Authentication

Select the certificate. Click next.

23
Exchange Modern Authentication
 Fill in the DNS name that represents your on‐premises Exchange Organization for hybrid mail flow. This determines
where Exchange Online Protection will connect to route email from the cloud to the on‐premises organization. Click
next.

24 Exchange Modern Authentication

Choose Review the objects before transferring from on‐premises to Exchange Online. Click next.

25
Exchange Modern Authentication
 Click on the objects and check what’s different. Look closely and decide. We will skip these conflicts and leave them
the way they are. Click next.

26 Exchange Modern Authentication

Click update and wait for the Hybrid Configuration Wizard to run.

27
Exchange Modern Authentication
 Congratulations! The Exchange Hybrid Configuration is a success. The hybrid services are now configured between
Exchange Online in the Office 365 tenant and the on‐premises Exchange environment. Click close.

28 Exchange Modern Authentication

Verify Hybrid Configuration Wizard installation

Go to Programs and Features and check that there is new software installed.

29
Exchange Modern Authentication
 By default, the hybrid configuration log location is on the on‐premises Mailbox server at:

You can always rerun the Hybrid Configuration Wizard whenever you make any changes to the environment.

30 Exchange Modern Authentication

Hybrid Modern Authentication Diagram
In the diagram below, you can see how the Hybrid Modern Authentication flow looks like after implementation.

1. User with on‐premises mailbox starts Outlook and connects with autodiscover to Exchange Server. The
connection will redirect to the evoSTS URL which you set.
2. The Outlook client contacts Azure AD, and the modern authentication sign‐in prompt appears. The user will
authenticate with the same Conditional Access policies set for the Exchange Online application (cloud app).
3. After successful authentication, the user will get an Access Token and Refresh Token.
4. The user provides the Access Token to the Exchange Server on‐premises and gets access to the mailbox

31
Exchange Modern Authentication
 Advantages of Modern Authentication
The advantages for configuring modern authentication in Exchange Server on‐premises are:

 More secure than basic authentication (classic username and password)

 Configure policies from Azure AD (central location)
 Modern look and feel for end‐user experience

How to configure Hybrid Modern Authentication

We will go through the steps below and make sure that everything is in place before we enable Hybrid Modern
Authentication for the Exchange on‐premises organization.

Please have a good look every time you are going to run the cmdlets. That’s because you need to perform the
administrative tasks in:

 Exchange Management Shell (Exchange Server on‐premises)

 PowerShell (Azure Active Directory PowerShell)

Step 1: Enable modern authentication in Exchange Online

To enable modern authentication in Exchange Online, follow these steps:

1. Sign in to Microsoft 365 admin center

2. Expand Settings and click on Org settings

3. Click on Services in the top bar

4. Choose Modern authentication from the list

5. Check the box Turn modern authentication for Outlook 2013 for Windows and later (recommended)

6. Click on Save

32 Exchange Modern Authentication

Step 2: Get virtual directory URLs

Start Exchange Management Shell as administrator on your Exchange Server on‐premises. Run the four cmdlets to
retrieve the virtual directory URLs. After that, we get the results in the output. Make a note of all the internal and
external URLs because you will need to add these URLs in one of the next steps.

33
Exchange Modern Authentication
34 Exchange Modern Authentication
Step 3: Get Exchange related SPNs

Run PowerShell as administrator and connect to Azure AD. Sign in with your Microsoft 365 global administrator
credentials.

Run the Get‐MsolServicePrincipal cmdlet to get the Exchange related URLs in the cloud for the application
00000002‐0000‐0ff1‐ce00‐000000000000.

PS C:\> Get‐MsolServicePrincipal ‐AppPrincipalId 00000002‐0000‐0ff1‐ce00‐000000000000 | select ‐ExpandProperty

ServicePrincipalNames

Take note of (and screenshot for later comparison) the output of this command, which should include an https://
autodiscover.yourdomain.com and https://mail.yourdomain.com URL, but mostly consist of SPNs that begin with
00000002‐0000‐0ff1‐ce00‐000000000000/.

Most likely, the https:// URLs from your on‐premises (step 2) are missing. Therefore, we will need to add those
specific records to this list in the next step.

35
Exchange Modern Authentication
 Step 4: Add on‐premises web service URLs as SPNs

If you don’t see your internal and external MAPI/HTTP, EWS, ActiveSync, OAB, and Autodiscover records in this list,
you must add them using the command below.

In this example, the URLs are https://mail.domain.com/ and https://autodiscover.domain.com/. Replace the URLs
with your own.

PS C:\> $x= Get‐MsolServicePrincipal ‐AppPrincipalId 00000002‐0000‐0ff1‐ce00‐000000000000

PS C:\> $x.ServicePrincipalnames.Add("https://mail.domain.com/")

PS C:\> $x.ServicePrincipalnames.Add("https://autodiscover.domain.com/")

PS C:\> Set‐MsolServicePrincipal ‐AppPrincipalId 00000002‐0000‐0ff1‐ce00‐000000000000 ‐ServicePrincipalNames

$x.ServicePrincipalNames

Step 5: Verify Exchange related SPNs

Verify that you added the new records by running the Get‐MsolServicePrincipal cmdlet. Look through the output.
Compare the before list/screenshot against the new list of SPNs. You might also take a screenshot of the new list for
your records. If you were successful, you would see the two new URLs in the list.

Going by our example, the list of SPNs will now include the specific URLs https://mail.domain.com/ and
https://autodiscover.domain.com/. See it at the top of the list.

Get‐MsolServicePrincipal ‐AppPrincipalId 00000002‐0000‐0ff1‐ce00‐000000000000 | select ‐ExpandProperty

ServicePrincipalNames

36 Exchange Modern Authentication

Step 6: Verify OAuth virtual directories

Now verify OAuth (modern authentication) is correctly enabled in Exchange on‐premises on all virtual directories
that Outlook might use. Run the cmdlets in Exchange Management Shell.

37
Exchange Modern Authentication
38 Exchange Modern Authentication
Step 7: Confirm EvoSTS auth server object is present

Return to the on‐premises Exchange Management Shell. Run the cmdlet and validate that your on‐premises has an
entry for the evoSTS (a Security Token Service used by Azure AD) authentication provider.

Get‐AuthServer | where {$_.Name ‐like "EvoSts*"} | fl

Name,DomainName,IssuerIdentifier,Realm,TokenIssuingEndpoint,Enabled,IsDefault*

Your output should show an AuthServer with a Name that starts with EvoSts, and the Enabled state value should be
True. If you don’t see this, you should download and run the most recent version of the Hybrid Configuration Wizard.

Step 8: Enable Hybrid Modern Authentication

In Exchange Management Shell, run the two cmdlets to enable modern authentication on the Exchange on‐premises
organization.

[PS] C:\>Set‐AuthServer ‐Identity "EvoSts ‐ d1c9beac‐0655‐48e7‐9949‐5e497af1d38d" ‐DomainName "domain.com"

‐IsDefaultAuthorizationEndpoint $true

[PS] C:\>Set‐OrganizationConfig ‐OAuth2ClientProfileEnabled $true

Change the identity (copy from step 7) and domain name to your own.

Step 9: Restart Internet Information Services

You can restart the Internet Information Services (IIS) on the Exchange Servers to speed the process.

39
Exchange Modern Authentication
 Step 10: Outlook Registry requirements

Make sure that you have one of the below Outlook clients running that support modern authentication. Outlook
2010 is not supported, and it will not work. Upgrade your Outlook client to a version that supports modern
authentication.

Outlook Modern auth EnableADAL reg key AlwaysUseMSOAuthForAutodiscover reg key

version support required required
Outlook No Not available Not available
2010
Outlook Yes Yes Yes
2013
Outlook Yes No Yes
2016
Outlook Yes No Yes
2019
Outlook Yes No Yes
365

Microsoft recommends that users force Outlook to use modern authentication by setting the DWORD value of the
following registry key to 1.

HKEY_CURRENT_USER\Software\Microsoft\Exchange\AlwaysUseMSOAuthForAutoDiscover

40 Exchange Modern Authentication

If you have Outlook 2013, you need to add two more DWORD values. Add the DWORD value to 1 in the following
registry subkeys:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version

You need to verify that the Mapi HTTP in registry is enabled, navigate to the below path

Key: HKEY_CURRENT_USER\Software\Microsoft\Exchange and check the value of the below DWORD that is set to 0

DWORD: MapiHttpDisabled, Value: 0

To keep using basic authentication with the modern authentication is ON, create the below key

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Common\Identity\

DWORD: EnableADAL, Value: 1

Note: Registry can be applied via GPO on the OU where the users are located.

41
Exchange Modern Authentication
 Step 11: Disable basic authentication with Conditional Access

Create a Conditional Access policy to force block basic authentication for all the users. You can select only a selected
group of users. But we recommend disabling basic authentications for all users.

Browse to Active Directory > Security > Conditional Access. Click New policy.

42 Exchange Modern Authentication

Give it the name Block Basic Authentication to Exchange Online

43
Exchange Modern Authentication
 Click Users and groups and follow with Include. Select All users or You can select only a selected group of users

44 Exchange Modern Authentication

Click Select app and follow with Include. Select Exchange Online

45
Exchange Modern Authentication
 Click Conditions and follow with Client apps. Click on Yes. Select Exchange ActiveSync clients and Other clients.

46 Exchange Modern Authentication

Click Grant. Select Block access. Click on Select.

47
Exchange Modern Authentication
 Click the On switch to enable the policy. Select I understand that my account will be impacted by this policy.
Proceed anyway. Click Create.

48 Exchange Modern Authentication

The policy shows up in the Conditional Access policies list.

Verify the work

Once you enable Hybrid Modern Authentication, a client’s next login will use the new auth flow. Note that just
turning on Hybrid Modern Authentication won’t trigger a reauthentication for any client, and it might take a while
for Exchange to pick up the new settings. That’s why an iisreset on the Exchange Server(s) in the previous step will
speed it up.

You can hold down the CTRL key and right‐click the Outlook client in the Windows system tray. Click Connection
Status. Look for the client’s SMTP address against an Authn type of Bearer*, representing the bearer token used in
OAuth.

49
Exchange Modern Authentication
 You did successfully configure Hybrid Modern Authentication in the Exchange on‐premises organization.

Risks and Roll Back Plan

Risks

When you enable modern authentication, you allow its use. It doesn’t mean that basic authentication doesn’t work
anymore. Your existing basic authentication client will continue to work.

From there, you can start to identify the basic authentication clients and start moving them to modern
authentication.

Roll Back Plan

 Disable the modern authentication on all virtual directories from ECP

 Remove the Auth Server created in step 8
 Set the Organization config for modern authentication to false in step 8
Set‐AuthServer ‐Identity evoSTS ‐IsDefaultAuthorizationEndpoint $false

50 Exchange Modern Authentication