Multi-Factor Authentication (MFA), which includes Two-factor authentication (2FA), in Exchange Server and Office 365, is designed to protect against account and email compromise.
Microsoft has evaluated recent reports of a potential bypass of 2FA. We have determined that the technique described is not a vulnerability and the potential bypass does not exist on properly configured systems.
The reported technique does not pose a risk to Exchange Server or Office 365:
- In Exchange Server, authentication configuration settings for client endpoints are not shared across protocols. Supported authentication mechanisms are configured independently on a per protocol endpoint basis. Multi-Factor Authentication in Exchange Server can be enabled in multiple ways, including OAuth. Before implementing MFA with Exchange Server it is important that all client protocol touchpoints are identified and configured correctly.
- In Office 365, when Azure MFA is enabled within a tenant, it is applied to all supported client protocol endpoints. Exchange Web Services (EWS) is an Office 365 client endpoint which is enabled. Outlook on the Web (OWA) and Outlook client access are also enabled in Office 365. Office 365 users may experience a small delay in activation of MFA on all protocols due to propagation of configuration settings and credential cache expiration.