Enable Modern Auth in Exchange Server on-premises (2023)

  • Article


With the release of Exchange Server 2019 CU13, Exchange Server supports OAuth 2.0 (also known as Modern authentication) for pure on-premises environments using ADFS as a security token service (STS). This document provides the prerequisites and steps to enable this feature.

To use modern auth, users need clients (Outlook or any other native OS clients) that support Modern auth using ADFS. Initially, this feature is available only for Outlook on Windows, but support for modern auth will be added to other Outlook clients in the future.

Modern auth in Exchange Server 2019 shouldn't be confused with Hybrid Modern Authentication, which uses Azure AD for modern authentication. In fact, HMA is still the only recommended method to enable Modern auth for all on-premises and cloud users in an Exchange Hybrid configuration. This new feature allows Modern auth use by customers who don’t have Azure AD or aren't in an Exchange Hybrid configuration.

How will Modern Authentication work and is this feature applicable to me?

With Modern auth, users can authenticate to Exchange using ADFS. When Modern auth is enabled for a user, their Outlook client is redirected to ADFS. Users can then authenticate by providing credentials or performing multi-factor authentication. Once ADFS authenticates a user, it generates access tokens. These access tokens are validated by Exchange Server to provide client access to the user’s mailbox.

The following diagram illustrates the coordination between Exchange Server, ADFS and Outlook to authenticate a user using Modern auth.

In the above chart, steps 3a, 4a, 5a and 6a take place when Modern auth is enabled for the end user. Steps 3b, 4b occur when Modern auth is disabled for a user.

Refer to the following table to evaluate if this feature is applicable for you.

Exchange ConfigurationIs this feature applicable?Remarks
On-premises Exchange organization with only Exchange Server 2019YesN/A
On-premises Exchange organization with mix of Exchange Server 2019, Exchange Server 2016, and Exchange Server 2013NoExchange Server 2013 is out of support.
On-premises Exchange organization with mix of Exchange Server 2019 and Exchange Server 2016YesOnly Exchange 2019 servers can be used as Front-End (Client Access) Servers.
Exchange Hybrid organization using HMANoHMA using Azure AD is the preferred solution. Refer to the guidance on using new auth policies.
Exchange Hybrid organization without HMANoUse HMA with Azure AD.

Prerequisites to enable Modern Authentication in Exchange

Exchange Server 2019 CU13 or later

To use Modern auth, all servers used for client connections must have Exchange Server 2019 CU13 installed.

ADFS 2019 or later

To enable Modern auth in an on-premises Exchange environment, Active Directory Federation Services (ADFS) on Windows Server 2019 or later is required.

You may also need Web Application Proxy Server (on Windows Server 2019 or later) to enable client access from outside corporate network.


The ADFS role cannot be configured on an Exchange Server. For more information, see Plan Your AD FS Deployment Topology

Client Prerequisites

Outlook on Windows

Support for Modern Auth via ADFS is available for Outlook in Microsoft 365 apps on the Insider channel and Current channel. The Outlook build number must be 16327.20200 or later. You can check the build number of your Office by following steps mentioned here.

If you're using retail versions of Office 2021, such as Office Home & Business 2021 or Office Professional 2021, you must use a build later than 16327.20200.


Support for Modern auth via ADFS will also be available in volume licensed versions of Office LTSC 2021 such as Office LTSC Professional Plus 2021 by the end of June, 2023.

Support for other clients such as Outlook on Mac, Outlook mobile, iOS mail app, etc., will be added later.

Windows OS

The Windows client must be Windows 11 22H2 or later and it must have the March 14, 2023 update installed.

You can review Windows Update history to verify that KB5023706 is installed.

Steps to configure Modern Authentication in Exchange Server using ADFS as STS

This section provides details on to implement Modern auth in Exchange Server 2019 CU13.

Install Exchange 2019 CU13 on all FE Servers (at least)

All servers used for client connections must be upgraded to Exchange 2019 CU13. This ensures that initial client connections to Exchange 2019 use OAuth, and proxied connections to Exchange Server 2016 will use Kerberos.


Configuring Modern auth is supported only on Exchange Server 2019 CU13 and later.

Exchange 2019 CU13 adds support for new authentication policies to allow or block Modern auth at user level. Blocking Modern auth is used to ensure clients that don’t support Modern auth can still connect.

Running /PrepareAD with Setup is required to add several new authentication policy parameters to Exchange Server.

  1. BlockModernAuthActiveSync
  2. BlockModernAuthAutodiscover
  3. BlockModernAuthImap
  4. BlockModernAuthMapi
  5. BlockModernAuthOfflineAddressBook
  6. BlockModernAuthPop
  7. BlockModernAuthRpc
  8. BlockModernAuthWebServices

After installing CU13, any pre-existing auth policies (including the default authentication policy) will have the above parameters disabled. This means that customers using HMA don't need to change their pre-existing auth policies.

No new authentication policy required for Exchange Hybrid customers

Existing Exchange Hybrid customers should use Hybrid Modern Auth. Hybrid customers using HMA can leave the values of the BlockModernAuth* parameters at 0 to continue using HMA.


The following steps to configure Modern auth using ADFS are applicable only for non-Exchange Hybrid (pure on-premises) customers.

Set up Active Directory Federation Services (ADFS)

Customers need to install and configure ADFS in the environment to allow Exchange clients to use Forms authentication (OAuth) to connect to Exchange Server.

Certificate requirements for ADFS configuration in Exchange Server Organization

ADFS requires two basic types of certificates (refer this article for detailed information):

  1. A service communication Secure Sockets Layer (SSL) certificate for encrypted web services traffic between the ADFS server, clients, Exchange servers, and the optional Web Application Proxy server. We recommend that you use a certificate that's issued by an internal or commercial certification authority (CA), because all clients need to trust this certificate.
  2. A token-signing certificate for encrypted communication and authentication between the ADFS server, Active Directory domain controllers, and Exchange servers. You can obtain a token-signing certificate by requesting one from a CA or by creating a self-signed certificate.

For more information about creating and importing SSL certificates in Windows, see Server Certificates.

Here's a summary of the certificates that we are using in this scenario:

Common name (CN) in the certificate (in the Subject, Subject Alternative Name, or a wildcard certificate match)TypeRequired on serversComments
Issued by a CAADFS server,
Web Application Proxy server (optional)
Federation servers use an SSL certificate to secure Web services traffic for SSL communication with clients and with federation server proxies.

Because the SSL certificate must be trusted by client computers, we recommend that you use a certificate that is signed by a trusted CA. All certificates that you select must have a corresponding private key.

ADFS Token Signing - adfs.contoso.comSelf-signed or issue by a CAADFS server,
Web Application Proxy server (optional)
A token-signing certificate is an X509 certificate. Federation servers use associated public/private key pairs to digitally sign all security tokens that they produce. This includes the signing of published federation metadata and artifact resolution requests.

You can have multiple token-signing certificates configured in the AD FS Management snap-in to allow for certificate rollover when one certificate is close to expiring. By default, all the certificates in the list are published, but only the primary token-signing certificate is used by AD FS to actually sign tokens. All certificates that you select must have a corresponding private key.

You can obtain a token-signing certificate by requesting one from an enterprise CA or a public CA or by creating a self-signed certificate.

Issued by a CAExchange servers,
Web Application Proxy server (optional)
This is the typical certificate that's used to encrypt external client connections to Outlook on the web (and other Exchange services). For more information, see Certificate requirements for Exchange services.

Deploy and Configure ADFS Server

Use Windows Server 2019 or later to deploy an ADFS server. Follow the steps: Deploy an ADFS server and Configure and test the ADFS server. Verify that you can open the URL of federation metadata in a web browser from the Exchange server and at least one client machine.

The URL uses the syntax:


For example,


Choose appropriate SSO Lifetime

Choose an appropriate SSO lifetime so end users aren't required to frequently reauthenticate. To configure an SSO lifetime, open ADFS management on the ADFS server and choose Edit Federation Service Properties in Actions (present on the right side of the ADFS management window).

Enter the Web SSO lifetime (minutes), which is the maximum time after which users need to reauthenticate.

Configure Authentication Method in ADFS

To use Modern auth in Outlook on Windows, you need to configure Primary Authentication Methods. We recommend choosing Forms Authentication for both Extranet and Intranet, as shown below.

Enable device registration in ADFS

Verify that device registration is configured, and device authentication is enabled by checking the Device Registration Overview.This step is recommended to reduce the number of authentication prompts for users and can help enforce Access Control Policies in ADFS.

Complete all the steps to configure Device Registration Service Discovery and the Device Registration Discovery Server SSL certificate, as detailed here.

Create ADFS Application Group for Outlook

  1. Right click on Application Groups and click Add Application Group.

  2. Select Native Application accessing a web API.

  3. Type a name such as Outlook and click next.

  4. On the Native application page, add the following client identifier and redirect Uri for Outlook and click Next.

    • Client Identifier: d3590ed6-52b3-4102-aeff-aad2292ab01c

    • Redirect URI (add the following two URIs):



  5. In the Configure Web API tab, add all FQDNs used by your Exchange environment, including Autodiscover, load balancing FQDNs, server FQDNs, etc. For example:


    It is important here to make sure all client-facing URLs are covered, or it won't work. Include the trailing /'s and ensure the URLs start with https://.

  6. In the Apply Access Control Policy tab, Permit everyone to start with and then change later if needed. Don't check the checkbox at the bottom of the page.

  7. In Configure Application Permissions, choose Native Application app, and under Permitted Scopes check user_impersonation in addition to openid, which is checked by default.

  8. Complete the assistant.

Add Issuance Transform Rules in Outlook Application Group

For the above created application group Outlook, add Issuance Transform Rules. Right click on the Outlook application group and select properties.

Edit the Web API settings, and under Issuance Transform Rules add the following custom rules:

Claim Rule NameCustom Rule
ActiveDirectoryUserSIDc:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"] => issue(claim = c);
ActiveDirectoryUPNc:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(claim = c);
AppIDACR=> issue(Type = "appidacr", Value = "2");
SCP=> issue(Type = "http://schemas.microsoft.com/identity/claims/scope", Value ="user_impersonation");

After adding the rules, the Outlook - Web API Properties should look as follows:

Optionally Web Application Proxy can be configured for Extranet Access

Web Application Proxy is part of the Remote Access server role in Windows Server. It provides reverse proxy functionality to allow users to access your web applications from outside the corporate network. Web Application Proxy preauthenticates access to web applications by using ADFS, and functions as an ADFS proxy.

If you plan to use Web Application proxy, use steps mentioned in Install and Configure the Web Application Proxy Server to configure it. Once configured, you can publish rules for Autodiscover.contoso.com or/and mail.contoso.com using the steps mentioned in Publish an Application that uses OAuth2.

Optionally, MFA can also be configured for client access

  1. Refer to the following links to configure ADFS with an MFA provider of your choice.

    • Configure 3rd party authentication providers as primary authentication in AD FS 2019
    • Configure Azure MFA as authentication provider with AD FS
  2. Configure Access Control Policy requiring MFA.

    • Access Control Policies in Windows Server 2016 AD FS

Client-Side Modern Authentication configuration

We recommend testing Modern auth with few users before deploying to all users. Once a pilot group of users can use Modern auth, more users can be deployed.

  1. Client upgrade and OS upgrade:

    As outlined in the Client prerequisites section, Modern auth is supported only for Outlook on Windows. To use Modern auth, the Outlook client Insider Channel must be installed on Windows 11 OS 22H2 with the March 14, 2023 update or later.

  2. Registry changes in client machines:

    Admins need to configure registry values for users.

    Enable Modern auth and add your ADFS domain as trusted domain in Outlook:

    1. Add following keys to add ADFS domain as trusted domain:

      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AAD\AuthTrustedDomains\https://ADFS domain/HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AAD\AuthTrustedDomains\https://ADFS domain


      Add two keys with and without “/” at the end of ADFS domain.

    2. ii.To enable Modern auth via ADFS in Outlook on Windows add following REG_DWORD value in HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Identity\:


      For ease of deployment, these registry changes can be configured using Group Policy. If Group Policy isn't used by your organization, users have to configure their registry manually (or with a script you provide).

Create Authentication Policies for End Users

It's possible that all users in your organization don’t have email clients that support Modern authentication using ADFS. In this scenario, we recommend that you enable Modern auth for users who have supported clients and block Modern auth users who don't.

To enable Modern auth for a set of users and block Modern auth for your remaining users, you need to create at least two authentication policies:

  • Org-wide policy to block Modern auth by default.
  • Second policy to selectively allow Modern auth for some users.

Create organization-level policy to block Modern auth by default

After Modern auth is enabled, all Outlook clients will try to use OAuth tokens, but some clients (for example, Outlook on Mac) can fetch OAuth tokens only from Azure Active Directory. Thus, if Modern auth is enabled, these clients won't be able to connect.

To avoid this scenario, you can set an organization-level policy to disable Modern auth. In the example below, we create a new authentication policy called Block Modern auth.

New-AuthenticationPolicy "Block Modern auth" -BlockModernAuthWebServices -BlockModernAuthActiveSync -BlockModernAuthAutodiscover -BlockModernAuthImap -BlockModernAuthMapi -BlockModernAuthOfflineAddressBook -BlockModernAuthPop -BlockModernAuthRpc

This policy can be set at Org level using the following command.

Set-OrganizationConfig -DefaultAuthenticationPolicy "Block Modern auth"

Create user-level authentication policy to enable Modern auth

Next, create a second authentication policy that enables Modern auth. All users with a supported Outlook client are assigned this authentication policy to enable their client to use Modern auth.

In the example below, we create a new authentication called Allow Modern auth using following command:

New-AuthenticationPolicy "Allow Modern auth"

Configure Exchange Server to use ADFS OAuth tokens

  1. Verify if oauth is enabled on the following virtual directories. If not enabled, do enable oauth in all these virtual directories:

    Get-MapiVirtualDirectory -Server <ExchangeServerName> | fl *auth*Get-WebServicesVirtualDirectory -Server <ExchangeServerName> | fl *auth*Get-OabVirtualDirectory -Server <ExchangeServerName> | fl *auth*Get-AutodiscoverVirtualDirectory -Server <ExchangeServerName> | fl *auth*
  2. Run:

    New-AuthServer -Type ADFS -Name MyADFSServer -AuthMetadataUrl https://<adfs server FQDN>/FederationMetadata/2007-06/FederationMetadata.xml

    This is required to create a new auth server object in Exchange Server for ADFS. Auth server objects are a list of trusted issuers. Only OAuth tokens from these issuers are accepted.

  3. Run:

    Set-AuthServer -Identity MyADFSServer -IsDefaultAuthorizationEndpoint $true

    Set the Auth server we just added as the DefaultAuthorizationEndpoint. When advertising the Modern auth header, Exchange Server advertises the auth URL of the DefaultAuthorizationEndpoint. This is how clients know which endpoint to use for authentication.

  4. We need to run this command to enable Modern Auth at organization level:

    Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
  5. Enable Modern auth for users with supported clients by assigning the Allow Modern auth authentication policy:

    Set-User -Identity User -AuthenticationPolicy "Allow Modern auth"

Verify Modern auth flow

Once configured correctly, users experience the ADFS login prompt when they connect to an Exchange server.

Effect on other clients when Modern auth is enabled for a user

Users enabled for Modern auth that have multiple clients (for example, Outlook on Windows and Outlook mobile) will have different experiences for each client. Here's a summary of how clients behave when Modern auth is enabled.


The following table assumes that Block Modern auth is applied as DefaultAuthenticationPolicy at org level.

Outlook on Windows (new versions)Uses Modern auth by default.
Outlook on Windows (old versions)Will try to use Modern auth but will fail.
Outlook MacWill try to use Modern auth but will fail; support coming later.
Outlook iOSWill fall back to Basic auth.
Outlook AndroidWill fall back to Basic auth.
iOS Mail appWill fall back to Basic auth.
Gmail appWill fall back to Basic auth.
OWA/ECPDoesn't use authentication policy.
Depending on how it's configured, will use either Modern auth or Basic auth.
Windows Mail appDoesn’t fall back to Basic auth.
Thunderbird clientDoesn't fall back to basic auth.
PowerShellWill use Basic auth.

Effect on OWA/ECP when Modern auth is enabled for other clients

Customers may or may not be using ADFS claims-based authentication for Outlook on the web. The steps mentioned above are required to enabled OAuth for other clients, and doesn't affect how OWA/ECP is configured.

Use AD FS claims-based authentication with Outlook on the web

Wait time after change authentication policy

After changing the authentication policy to allow Modern auth or block legacy auth:

  • Wait 30 minutes for new policies to be read by front-end servers


  • Perform an IIS reset on all front-end servers.

Migrating to Hybrid Modern Auth after using enabling Modern auth for Exchange Server

Customers using Modern auth with ADFS that later decides to configure Exchange Hybrid should move to Hybrid Modern Auth. Detailed steps to migrate will be added to a future version of this document.

Renewing certificates

Evaluate current certificate configuration

When it comes to client connections to Exchange Server, the certificate that should be evaluated is the one bound to the Frontend IIS Site. For an ADFS server, ensuring that all certificates returned in Get-AdfsCertificate are current is ideal.

  1. To identify the relevant certificate on an Exchange Server, perform the following within Exchange Management Shell:

    Import-Module WebAdministration(Get-ChildItem IIS:SSLBindings | Where-Object {($_.Sites -ne $null) -and ($_.Port -eq "443")}).Thumbprint | ForEach-Object {Get-ExchangeCertificate $_ | Where-Object {$_.Services -Match "IIS"} | ft Thumbprint, Services, RootCAType, Status, NotAfter, Issuer -AutoSize -Wrap} 
  2. To review active certificates on an ADFS Server, perform the following within PowerShell:

    Get-AdfsCertificate | ft CertificateType, Thumbprint, Certificate -AutoSize -Wrap

Update certificates on Exchange Server

If its been found that the Exchange certificate needs to be updated for client connectivity, a new certificate must be issued and imported onto the Exchange Servers. Afterwards, the certificate should be enabled for IIS at minimum. Evaluate if other services should be enabled for the new certificate based on your configuration.

Below is a sample on creating, completing, enabling, and importing a new certificate across all servers based on the existing certificate within the Exchange Management Shell:

  1. Generate a new certificate request within the Exchange Management Shell based on your existing certificate:

    $txtrequest = Get-ExchangeCertificate <Thumbprint> | New-ExchangeCertificate -GenerateRequest -PrivateKeyExportable $true
  2. Stage a variable containing the desired output path of your new certificate request:

    $requestFile = "C:\temp\CertRequest.req"
  3. Create the certificate request file:

    [System.IO.File]::WriteAllBytes($requestFile, [System.Text.Encoding]::Unicode.GetBytes($txtrequest))


    The folder path for the certificate request must already exist.

  4. Share the request file with your Certificate Authority (CA). The steps required to get a completed certificate varies based on your CA.


    .p7b is the preferred format for the completed request.

  5. Stage a variable containing the full path of the completed request:

    $certFile = "C:\temp\ExchangeCert.p7b"
  6. Import the request onto the server that originally generated the request:

    Import-ExchangeCertificate -FileData ([System.IO.File]::ReadAllBytes($certFile)) -PrivateKeyExportable $true
  7. Stage variable for the password to protect the completed certificate:

    $pw = Read-Host -AsSecureString
  8. Export the certificate Binary into a variable:

    $binCert = Export-ExchangeCertificate <Thumbprint> -BinaryEncoded
  9. Stage variable for the desired output path of the completed certificate:

    $certificate = "\\$env:computername\c$\temp\CompletedExchangeCert.pfx"
  10. Export the completed request to be imported on other servers:

    [System.IO.File]::WriteAllBytes($certificate, $binCert.FileData)
  11. Enable the services that should be bound to the certificate:

    Enable-ExchangeCertificate <Thumbprint> -Services IIS 


    You may need to add more services to the above sample based on your previous certificates configuration.

  12. Validate the certificate is working as intended by directing a client to the server for all client namespaces with a host file.

  13. Import the Exchange certificate on all other Exchange servers:

    Import-ExchangeCertificate -PrivateKeyExportable $true -FileData ([System.IO.File]::ReadAllBytes($certificate)) -Password $pw -Server <Server-Name>


    Including the -PrivateKeyExportable parameter is optional when importing to other Exchange servers.

  14. Enable the Exchange certificate for needed Exchange services on all other Exchange servers:

    Enable-ExchangeCertificate <Thumbprint> -Services IIS -Server <Server-Name>


    You may need to add more services to the above sample based on your previous certificates configuration.

Update certificate on ADFS

Depending on the certificate type that requires update on ADFS determines if you need to follow the steps described below.

Service-Communications certificate

This sample provides the PowerShell required to import a certificate in .pfx format, such as the one generated by following the Exchange Server certificate steps. Ensure you're logged on the primary ADFS server.

  1. Stage a variable containing the password for the certificate:
    $pw = Read-Host -AsSecureString
  2. Stage a variable containing the full path for the certificate:
    $certificate = "\\E2k19-1\c$\temp\CompletedExchangeCert.pfx"
  3. Import the certificate into the personal store of the LocalMachine:
    Import-PfxCertificate -FilePath $certificate -CertStoreLocation Cert:\LocalMachine\my -Password $pw
  4. Update the Service-Communications certificate:
    Set-AdfsSslCertificate -Thumbprint <Thumbprint>

Token-Signing and Token-Decryption certificates

Follow the steps outlined in the Obtain and Configure TS and TD Certificates for AD FS documentation.


Using the default self-signed certificate for Token-Signing in ADFS claims-based authentication for Outlook on the web requires the certificate to be installed on the Exchange Servers.


What is modern authentication for Exchange server on-premises? ›

Modern Authentication for Pure Exchange On-Premises Organizations Running Exchange 2019 and Exchange 2016. In December 2017, Microsoft announced Hybrid Modern Authentication for Exchange On-Premises, a method to allow Exchange Servers to accept OAuth tokens issued by Azure AD to authenticate user connections.

How do I force office to use modern authentication? ›

Using the Microsoft 365 admin center

In the Microsoft 365 admin center, go to Settings > Org Settings > Modern Authentication.

How to configure Exchange Server on-premises to use hybrid modern authentication? ›

In this article
  1. Definitions.
  2. Enabling Hybrid Modern Authentication.
  3. Make sure you meet all the prerequisites.
  4. Add on-premises web service URLs as SPNs in Azure AD.
  5. Verify Virtual Directories are Properly Configured.
  6. Confirm the EvoSTS Auth Server Object is Present.
  7. Enable HMA.
  8. Verify.
Oct 4, 2022

What are the impacts of enabling modern authentication on the Office 365 tenant? ›

Duo recommends that you update to clients that support modern authentication. Enabling Modern Authentication for your Microsoft 365 (formerly called Office 365) tenant gives that tenant the ability to issue and validate authentication and refresh tokens (OAuth2. 0 tokens) for thick clients like Outlook.

What is the difference between Exchange server Online and on premise? ›

In terms of cost, Exchange Online is quite flexible and allows you to pay for licenses on a per-user basis. If you opt for Exchange On-Premises, you will hold the responsibility of arranging and maintaining the Exchange server and server hardware, in addition to acquiring Client Access Licenses.

What is the difference between Exchange Modern Auth and Basic Auth? ›

Basic Authentication is an older version of the password exchange for Microsoft platforms, and a less secure mechanism. It is being replaced with the Microsoft implementation of Modern Authentication (OAuth), which is the newer and more secure version of authentication to Microsoft platforms.

How long does modern authentication take to enable? ›

Verify Modern Authentication is enabled on the O365 tenant. This setting can take several hours to propagate across Microsoft's data centers. Duo recommends waiting at least 24 hours after enabling modern auth before adding 2FA to the authentication workflow.

How do I know if Outlook is using modern authentication? ›

Press CTRL, right-click the Microsoft Outlook icon in the system tray and click Connection Status. Look at the Authn column. The value should be Bearer*, which means Outlook is now using modern authentication with the OAuth2 Bearer token.

How to allow access from apps that don t use modern authentication? ›

Before Provisioning
  1. Log on to the Microsoft 365 admin center with your Global Administrator account.
  2. Go to Admin centers > SharePoint from the left navigation. ...
  3. Click access control, and then click Allow under Control access from apps that don't use modern authentication.
  4. Click OK, and then wait for around 30 minutes.

How do I connect to Exchange on premise? ›

In the Power Platform admin center, select an environment. On the command bar, select Settings > Email > Server profiles. On the command bar, select New server profile. For Email Server Type, select Exchange Server (On Prem), and then specify a meaningful Name for the profile.

How do I sync Exchange Online to premise? ›

In the EAC, go to Office 365 > Recipients > Migration. , and then select Migrate from Exchange Online. On the Select the users page, select Select the users that you want to move and then click Next. and then select the Exchange Online users to move to the on-premises organization, click Add and then click OK.

How do I use modern authentication in Office 365? ›

How to enable modern authentication in Office 365
  1. Sign in to Microsoft 365 admin center.
  2. Expand Settings and click on Org settings.
  3. Click on Services in the top bar.
  4. Choose Modern authentication from the list.
  5. Check the box Turn modern authentication for Outlook 2013 for Windows and later (recommended)
  6. Click on Save.
Apr 18, 2023

Does modern authentication require password? ›

Modern authentication relies on multiple as well as strong factors such as biometrics to authenticate users with a combination of the following factors: Something the user knows: It could be a password, PIN, or pattern. Something the user has: It could be a security token, smartphone, or keycard.

What are the advantages of modern authentication? ›

Modern authentication is a stronger method of identity management that provides more secure user authentication and access authorization. It allows a user access from a client device like a laptop or a mobile device to a server to obtain data or information.

How to check if Basic authentication is being used Office 365? ›

Manage Basic authentication in the Microsoft 365 admin center. In the Microsoft 365 admin center at https://admin.microsoft.com, go Settings > Org Settings > Modern Authentication. In the Modern authentication flyout that appears, you can identify the protocols that no longer require Basic authentication.

How do I know if my Exchange is on premise? ›

In Exchange 2013/2016/2019, you can check if the mailbox is on-premises or in Office 365. Sign in to the Exchange Admin Center. Have a look at the Mailbox Type column. You can see that if the mailbox is located on-premises or in Office 365.

Why is Exchange Online more secure than on premise? ›

Although Exchange Online spans over 200,000 physical mailbox servers, the risk of compromise is much lower than for any on-premises environment because of the security resources Microsoft dedicates to protecting its cloud infrastructure.

Does Exchange Online require an on premise Exchange? ›

Exchange-only services and features, such as public folders, will require you to either maintain your on-premises Exchange servers or migrate those services to Exchange Online.

How to switch from basic authentication to Modern authentication? ›

To switch from Basic Authentication to Modern Authentication, please use the following steps:
  1. Log in to your Microsoft Azure portal (https://portal.azure.com)
  2. Select Azure Active Directory.
  3. Select App registrations.
  4. Select New Registration.
  5. Enter a name of your choice.
Jan 24, 2023

What is an example of a modern auth? ›

Some examples of Modern Authentication protocols are SAML, WS-Federation, and OAuth.

Why is basic authentication generally not recommended? ›

Problems with Basic Authentication

The username and password are sent in every request. Although they are encoded with Base64, this does not add any security since they can be decoded easily. Most configurations of Basic Authentication do not implement protection against password brute forcing.

How do I know if my MFA is activated? ›

How To Check If MFA Is Enabled In Office 365 For Users?
  1. Sign in to the account and click on 'Admin'.
  2. Click on 'Users'.
  3. Select 'Active Users' and click on the 'Multi Factor Authentication' option at the top of the page.
Jan 23, 2023

How do I know if basic authentication is enabled? ›

How to Check if Basic Authentication is Enabled?
  1. Login to Microsoft 365 admin center.
  2. Click Settings–> 'Org Settings. '
  3. Select 'Modern authentication' present under the 'Services' tab.
Jul 20, 2022

Is Modern authentication more secure? ›

Modern Authentication is a method of identity management that offers more secure user authentication and authorization.

How do I force Outlook to re authenticate? ›

Click the More Settings button. Select the Security tab. Deselect the "Always prompt for logon credentials" check box. Click OK.
  1. Choose Tools > Accounts.
  2. In the left pane, select the account you want to reset.
  3. On the bottom left, click the gear icon and select Reset Account from the list.
Feb 15, 2023

How do I make sure my email is authenticated? ›

How to Authenticate Your Email in 5 Steps
  1. Use consistent sender addresses. Be consistent with the from addresses and friendly from names you use. ...
  2. Authenticate your IP addresses with SPF. ...
  3. Configure DKIM signatures for your messages. ...
  4. Protect your domain with DMARC authentication. ...
  5. Prepare for BIMI.
Feb 22, 2021

How do you check if an email is authenticated? ›

The message is authenticated if you see:
  1. "Mailed by" header with the domain name, like google.com.
  2. "Signed by" header with the sending domain.

What applications support modern authentication? ›

If you are an Android user, you must use the Outlook, Gmail, or another app to connect to Lobomail using modern authentication. The Outlook app is highly recommended. If you see a login screen like the following when setting up your email account, the client is likely using modern authentication (OAUTH):

What happens if you can't access Authenticator app? ›

If your lost phone has Google Authenticator on it, you need to secure your accounts connected to the app by logging in with an alternate method, and resetting the 2FA settings. You should also erase your phone remotely if possible. You can then add Google Authenticator to a new phone and re-link it to your accounts.

Did Microsoft disable Basic authentication? ›

SMTP AUTH will still be available when Basic authentication is permanently disabled on October 1, 2022.

How do I connect to the premise Exchange in Office 365? ›

First, you'll need to sign in to Office 365 with your admin account.
  1. Once you've logged in, select Data migration from the Users The Migration page should appear.
  2. Select Exchange from the Select your data service The Hybrid Configuration Wizard will open.
  3. Select next. ...
  4. Keep the default values and choose next.
Jan 29, 2018

What is the difference between on premise Exchange and Office 365? ›

With Microsoft Exchange Server you, (or your IT support company), are in full control of the hardware and infrastructure, whereas with Office 365 you do not have direct access to this. The difference can impact on the level of control you have over configuration, upgrades and system changes.

Is Microsoft Exchange on premise? ›

What is Microsoft Exchange On-Premise? Microsoft Exchange On-Premise is a server-based email solution, meaning it requires substantial server and networking hardware physically installed on your business premises, i.e., a server room, to operate.

Can I use Office 365 on premise Exchange? ›

You can integrate Microsoft 365 with your existing on-premises Active Directory Domain Services (AD DS) and with on-premises installations of Exchange Server, Skype for Business Server 2015, or SharePoint Server. When you integrate AD DS, you can synchronize and manage user accounts for both environments.

How do I ensure Exchange Online is enabled? ›

To enable modern authentication, use the Exchange Online PowerShell Module:
  1. Run the Microsoft Exchange Online PowerShell Module.
  2. Connect to Exchange Online using Connect-ExchangeOnline. Run the following PowerShell command:
  3. Set-OrganizationConfig -OAuth2ClientProfileEnabled $True.
  4. Default Value: True.

How to configure Exchange Server to send and receive outside Email? ›

Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.
  1. Step 1: Create an internet Send connector. ...
  2. Step 2: Add additional accepted domains. ...
  3. Step 3: Configure the default email address policy. ...
  4. Step 4: Configure external URLs. ...
  5. Step 5: Configure internal URLs. ...
  6. Step 6: Configure an SSL certificate.
Feb 21, 2023

How to automatically enable MFA for new users in Office 365? ›

Watch: Turn on multifactor authentication

Go to the Microsoft 365 admin center at https://admin.microsoft.com. Select Show All, then choose the Azure Active Directory Admin Center. Select Azure Active Directory, Properties, Manage Security defaults. Under Enable Security defaults, select Yes and then Save.

What is the default authentication method for Office 365? ›

The default authentication method is to use the free Microsoft Authenticator app. If you have it installed on your mobile device, select Next and follow the prompts to add this account. If you don't have it installed there is a link provided to download it.

Which office versions support modern authentication? ›

Exchange Online
Office client app versionRegistry key present?Modern authentication on?
Office 2019Yes, EnableADAL = 1Yes
Office 2019Yes, EnableADAL=0No
Office 2016No, AlwaysUseMSOAuthForAutoDiscover = 1Yes
Office 2016No, or EnableADAL = 1Yes
6 more rows
Feb 16, 2023

What happens when I enable modern authentication in Office 365? ›

Duo recommends that you update to clients that support modern authentication. Enabling Modern Authentication for your Microsoft 365 (formerly called Office 365) tenant gives that tenant the ability to issue and validate authentication and refresh tokens (OAuth2. 0 tokens) for thick clients like Outlook.

Does autodiscover use modern authentication? ›

Autodiscover will continue to function perfectly well, but only with connections that use modern authentication.

What is the difference between basic auth and modern auth? ›

Basic Authentication is an older version of the password exchange for Microsoft platforms, and a less secure mechanism. It is being replaced with the Microsoft implementation of Modern Authentication (OAuth), which is the newer and more secure version of authentication to Microsoft platforms.

How often does Office 365 authenticate? ›

Every time a user closes and open the browser, they get a prompt for reauthentication. In Office clients, the default time period is a rolling window of 90 days.

What is MFA for on-premises servers? ›

When you use the Multi-Factor Authentication (MFA) Server on-premises, a user's data is stored in the on-premises servers. No persistent user data is stored in the cloud. When the user performs a two-step verification, the MFA Server sends data to the Azure MFA cloud service to perform the verification.

What is MFA authentication on premise? ›

On-premise AD is a closed system, and when you add MFA to your log-in, you're essentially creating an additional layer of security for your network. However, if you don't enable MFA for your AD, you're taking an unnecessary security risk.

What does modern authentication do? ›

Modern authentication is a stronger method of identity management that provides more secure user authentication and access authorization. It allows a user access from a client device like a laptop or a mobile device to a server to obtain data or information.

What authentication does Exchange use? ›

Note - Exchange Server supports the Kerberos authentication protocol and NTLM for authentication. The Kerberos protocol is the more secure authentication method and is supported on Windows 2000 Server and later versions.

What happens when MFA is enabled? ›

Enabling multi-factor authentication (MFA) ensures at least two verification factors are in place in order to block potential attackers from gaining access to systems.

Should you always have MFA enabled? ›

Multi-factor authentication is important, as it makes stealing your information harder for the average criminal. The less enticing your data, the more likely that thieves will choose someone else to target. As the name implies, MFA blends at least two separate factors.

What are the three authentication methods available for MFA? ›

Three Main Types of MFA Authentication Methods
  • Things you know (knowledge), such as a password or PIN.
  • Things you have (possession), such as a badge or smartphone.
  • Things you are (inherence), such as a biometric like fingerprints or voice recognition.

How do I enable MFA authentication methods? ›

Enable and disable verification methods

Select Per-user MFA. Under multi-factor authentication at the top of the page, select service settings. On the service settings page, under verification options, select or clear the appropriate checkboxes. Select Save.

What is the difference between authentication and authorization in MFA? ›

Authentication and authorization are two vital information security processes that administrators use to protect systems and information. Authentication verifies the identity of a user or service, and authorization determines their access rights.

How long does enabling modern authentication take? ›

Verify Modern Authentication is enabled on the O365 tenant. This setting can take several hours to propagate across Microsoft's data centers. Duo recommends waiting at least 24 hours after enabling modern auth before adding 2FA to the authentication workflow.

What is an example of modern authentication? ›

What is modern authentication? Modern authentication is an umbrella term for a combination of authentication and authorization methods between a client (for example, your laptop or your phone) and a server, as well as some security measures that rely on access policies that you may already be familiar with.

What happens if I turn on modern authentication? ›

Modern authentication in Exchange Online enables authentication features like multi-factor authentication (MFA), smart cards, certificate-based authentication (CBA), and third-party SAML identity providers.

How do I connect to exchange with MFA? ›

To connect to Exchange Online PowerShell with MFA, you need to install the Exchange Online PowerShell V3 module. With this module, you can create a PowerShell session with both MFA and non-MFA accounts using the Connect-ExchangeOnline cmdlet.

How do I authenticate my Exchange account? ›

Connect to your Exchange Server

After you enter your email address, choose Sign In or Configure Manually. Tap Sign In to automatically discover your Exchange account information. If your account uses modern authentication, you'll be guided through a custom authentication workflow.


Top Articles
Latest Posts
Article information

Author: Merrill Bechtelar CPA

Last Updated: 14/12/2023

Views: 6171

Rating: 5 / 5 (70 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Merrill Bechtelar CPA

Birthday: 1996-05-19

Address: Apt. 114 873 White Lodge, Libbyfurt, CA 93006

Phone: +5983010455207

Job: Legacy Representative

Hobby: Blacksmithing, Urban exploration, Sudoku, Slacklining, Creative writing, Community, Letterboxing

Introduction: My name is Merrill Bechtelar CPA, I am a clean, agreeable, glorious, magnificent, witty, enchanting, comfortable person who loves writing and wants to share my knowledge and understanding with you.