The Many Forms of Modern Authentication – An Exchange Server Story


Userlevel 7
Badge +22

Hi everyone.

If you missed it, Microsoft just released H1 2023 for Exchange Server 2019. Included in this release is the ability to use Modern Authentication in an Exchange Server only environment.

 

In Case You Missed it, What is Modern Authentication?

 

There are numerous resources describing the functionality of Modern Authentication in technical detail, but my goal here is to provide a conceptual overview of Basic Authentication vs Modern Authentication.

 

Basic Authentication

Basic Authentication, as the name might suggest, is a simplistic form of authentication. A client attempts to communicate to a resource that is protected, and the resource requests a username & password, you supply a valid username & password, and you’re granted access to the resource. Every time you want to access this resource, you need to provide the username & password. This was actually one of the main driving forces behind security considerations such as mandating HTTPS on websites, to avoid credential theft.

 

Modern Authentication

Modern Authentication by comparison, still requires authentication, but the methods change slightly. Firstly, instead of supplying our credentials in every request, we supply our credentials to an identity provider. The identity provider then generates an access token. Some benefits to tokens are that they expire, thus requiring generation of a new token and a re-authentication process; additionally, tokens can be revoked to withdraw access. Further to this however, the authentication method can change from username & password to instead utilising client certificate-based authentication, or smart card authentication, or the most commonly known option, Multifactor Authentication (MFA).

Tokens contain more information than just the username of the authenticated account, they can also contain information such as current location, or device information. These extra attributes are used to power functions such as Conditional Access within platforms that support this, such as Microsoft 365.

In summary: Modern authentication gives us more methods of authentication (MFA/SmartCard/Certificates), flexibility of identity providers, and additional information to make user/device compliance & risk-based decisions through mechanisms such as Conditional Access.

 

What Modern Authentication is Supported by Microsoft Exchange?

 

For those keeping score, this now means we have three different scenarios for Modern Authentication within the Microsoft Exchange family of products.

 

Exchange Online

Firstly, we have Microsoft’s favourite child of the family, Exchange Online. Modern Authentication either is the only method of authentication you have on this platform, or shortly will be, as Microsoft announced Basic Authentication would be retired back in 2019. With dates and timelines changing but ultimately bringing us to where we are now. Everything I mentioned during the previous section around Modern Authentication, applies to Exchange Online.

 

Hybrid Modern Authentication

For a while now, we’ve had the ability to perform Hybrid Modern Authentication. This scenario is where your users will still authenticate on-premises, meaning they authenticate against your infrastructure. However, the authorization changes to using evoSTS, which is a Security Token Service (STS is an abbreviation for Security Token Service) used by Azure AD. The change in authorization brings the benefits discussed in the Modern Authentication section, meaning functionality such as leveraging MFA. The trade-off with enabling Hybrid Modern Authentication however is that you create a cloud dependency, meaning your infrastructure must maintain a connection to your Azure AD instance. I would argue this isn’t much of a dependency, as the purpose of an email server is to communicate with internal & external users, so a reiliable connection is already desired. Whilst there were many dependencies within your environment to support this, the overall support was quite broad, supporting environments containing Exchange Server versions as old as 2013. You can find out more about the prerequisites here.

 

New: Modern Authentication for Exchange Server ONLY Environments

As mentioned in the opening paragraph, Exchange Server 2019’s H1 2023/CU13 is now available, and within this, is support for Modern Authentication. The key difference to the other Modern Authentication implementations is that this solution exclusively uses Active Directory Federation Services (ADFS) as the Security Token Service. This still provides the benefits of Modern Authentication such as integration with MFA, smart cards, certificate-based authentication, and third-party security identity providers.

The requirements are more strict for this solution, you require Exchange Server 2019 running H1 2023/CU13, but you can also bring along any Exchange Server 2016 CU23 servers, provided that Exchange Server 2019 CU13 is the front end handling the client traffic. There are also restrictions on Outlook versions currently that severly restrict the implementation potential, at the time of writing only the Outlook for Windows application is supported with Modern Authentication, and that is still for specific versions. Whilst Outlook for macOS, Android, and iOS applications are explicitly stated as not yet supported. This only applies to applications, with Outlook on the Web and Exchange Control Panel already supported claims-based authentication with ADFS.

 

How do I know if I’m ready for Exchange Server ONLY Modern Authentication

 

Microsoft have provided a write-up on how to enable Modern Authentication for Exchange Server, and this contains a table of common Exchange configurations and whether the feature is applicable. Microsoft also supply a list of minimum versions of the Outlook application and builds. This information is available here. Curiously, missing from the list are any support statements of feature support between Exchange and Skype for Business or SharePoint with this feature enabled.

But first-party application support is only part of the equation here, Exchange Server is a mission critical application for many organisations, and as a result there are other pipelines that integrate into Exchange. Depending on the authentication policy configuration, most email applications such as the unsupported Outlook versions, Thunderbird, and iOS Mail apps will failback gracefully to Basic Authentication under default configurations.

However, consider applications that use Exchange Web Services (EWS), such as Veeam’s Exchange restore functionality. This application only supports Basic Authentication at the time of writing, and Exchange Web Services doesn’t use an authentication policy, it is either Basic Authentication, or Modern Authentication. Should you attempt to restore via a Modern Authentication-enabled EWS frontend, the restore will fail, dramatically reducing your data recoverability possibilities. The same will be true for many other EWS-integrated applications if they don’t support Modern Authentication.

Over time, we’ll likely see adoption efforts increase to support EWS with Modern Authentication, but as Microsoft wants the world to move to Exchange Online, and the popularity for Exchange Server is dwindling, integrations may never come for some applications…


7 comments

Badge

Does it means that we support Exchange 2019 CU13 ?

Userlevel 7
Badge +17

You mean people still run Exchange on-prem? 🤔😁 Glad we migrated off several years ago.

Thanks for sharing Michael. Good info. 

I have several clients with on-premise installations at the moment...

Userlevel 7
Badge +6

Thanks for posting Michael….I’ve had a tab open for at least a week to read up more about this but your summary is great.

Userlevel 7
Badge +6

You mean people still run Exchange on-prem? 🤔😁 Glad we migrated off several years ago.

Thanks for sharing Michael. Good info. 

 

I have two clients still on-premise.  One is a T&M client that I don’t do much because they’ll run things to the bitter end.  Ask me how their publicly accessible Server 2003 DNS servers finally went away a couple years ago.  The other is a small municipality that is cloud-adverse but I’m working on them and getting closer to moving to Exchange Online I think.

Userlevel 7
Badge +21

Really great info for the community. I always read your blog before here.  😁 Thanks for sharing.

Userlevel 7
Badge +19

You mean people still run Exchange on-prem? 🤔😁 Glad we migrated off several years ago.

Thanks for sharing Michael. Good info. 

Userlevel 7
Badge +22

TL;DR: Don’t enable Modern Authentication if you’re planning on using Veeam Explorer functionality with Exchange Server. This works via EWS and enabling Modern Authentication on EWS WILL break the restore workflow.

Comment