Business Need
Organizations using on-premise Microsoft Exchange Server need to ensure secure access to corporate emails across different client applications and devices. Traditional authentication methods, such as Basic Authentication, are vulnerable to password-based attacks. Relying only on Basic Authentication with a strong password is not enough to prevent unauthorized access to accounts and sensitive company information.
Traditional Exchange Mail Setup
Organizations have traditionally deployed Microsoft Exchange Server as an enterprise email and collaboration platform, allowing users to access their emails, calendars, and contacts across various client applications. It supports Outlook Web Access (OWA) for browser-based access, allowing users to log in via a web interface. Microsoft Outlook (Windows & Mac) connects to Exchange using MAPI over HTTP or Outlook Anywhere, providing a seamless email experience with rich features. Mobile email clients like iOS Mail, Gmail, and Outlook Mobile use Exchange ActiveSync (EAS) for real-time synchronization.
Protecting Email Access
To enhance security while accessing corporate email, Microsoft ADFS (Active Directory Federation Services) enabled with CyLock MFA (Multi-Factor Authentication) can be implemented to enforce strong authentication before granting access to corporate mail or other resources while ensuring a seamless user experience.
MFA for Exchange Server mail access is enabled through CyLock’s customized Microsoft Active Directory Federation Services (ADFS) agent which authenticates the first-factor against Active Directory Server and MFA through CyLock MFA platform.
Mail access through OWA
Modern Authentication option in Exchange Server allows users to authenticate via ADFS when accessing their on-premise mail server. If this option is enabled for a user, the Outlook client (browser or desktop) redirects to ADFS for further authentication. Users can then authenticate by providing credentials. After successful authentication of the user against Active Directory, ADFS will trigger 2FA with CyLock MFA. If 2FA is successful, it generates access tokens, which are validated by Exchange Server and enables client access to the user's mailbox.
-
User access corporate mail through Outlook Web App (OWA) via Browser.
-
User will be redirected to ADFS to enter email address and password credentials.
-
AD FS will verify the first factor authentication (FFA) against AD and if the authentication is successful, it triggers second factor authentication with CyLock MFA server.
-
Based on preferred authentication mode user can carry out second factor authentication and if it is successful, ADFS will generates access tokens.
-
After successful validation of the access tokens by Exchange Server, client is given access to the user's mailbox.
Authentication Options
On top of strong password policies, organizations can enable MFA to provide a more secure Windows logon process. MFA can provide security against cyber-attacks thereby safeguarding enterprise identity and data. The table below lists the authentication types and the security options supported during Windows logon.
Supported Mail Clients
The below table shows the mail clients for which MFA can be enabled through modern authentication:
| # | Mail Clients | OS Requirements | MFA through CyLock ADFS Agent |
|---|---|---|---|
| 1 | Outlook for Windows (Classic) - build number 16.0.17628.10000 or later | Windows 11 22H2 or later with KB5023706 update installed | Yes |
| 2 | Outlook for Windows (New) | NA | No |
| 3 | Outlook for Mac | NA | No |
| 4 | Outlook iOS | NA | No |
| 5 | Outlook Android | NA | No |
| 6 | iOS Mail app | iOS 17.6.1 or later | No |
| 7 | macOS Mail app (Apple Mail) | macOS Sonoma or later | Yes |
| 8 | Gmail app | NA | No |
| 9 | OWA/ECP | NA | Yes |
| 10 | Windows Mail app | NA | No |
| 11 | Thunderbird client | NA | No |
Benefits of enabling MFA for Exchange Mail Login
Enhanced Security: MFA adds an extra layer of security by requiring users to provide multiple forms of identification before gaining access to their accounts. This reduces the risk of unauthorized access, even if a user's password is compromised.
Protects Against Password Attacks: With the increasing number of sophisticated cyber-attacks like phishing, brute force attacks, and credential stuffing, MFA helps protect against these threats by requiring an additional verification method beyond just a password.
Compliance Requirements: Many industries and regulations require organizations to implement MFA as part of their security protocols to ensure data protection and compliance with regulatory standards such as GDPR, PCI-DSS, HIPAA.
Safeguards Sensitive Data: Organizations mail often contains sensitive and confidential information. The risk of data breaches and unauthorized disclosures is mitigated, as MFA permits access only to authorized users to such information.
CyLock MFA - Solution Pre-Requisites
Implementing CyLock Multi-Factor Authentication (MFA) for on-premies Exchange Server mail login involves certain prerequisites to ensure a smooth and secure integration. Here are the typical prerequisites for setting up the same:
-
On-Premise Active Directory
-
Active Directory Domain name
-
Active Directory Federation Services (AD FS) feature should be installed in windows server and joined to the domain
-
Microsoft Exchange Server (2019 and above)
-
Access to CyLock MFA SAAS Server for carrying out Second Factor Authentication
Summary
Multi-Factor Authentication (MFA) for Exchange Server mail access is a crucial security feature that helps protect user accounts and data by requiring additional verification steps beyond just a password. It offers enhanced security, flexibility, and ease of implementation, making it an essential component of a comprehensive security strategy for organizations using on-premise Exchange Server platform.