Multi-Factor Authentication in Exchange and Office 365


Multi-Factor Authentication (MFA), which includes Two-factor authentication (2FA), in Exchange Server and Office 365, is designed to protect against account and email compromise.

Microsoft has evaluated recent reports of a potential bypass of 2FA. We have determined that the technique described is not a vulnerability and the potential bypass does not exist on properly configured systems.

The reported technique does not pose a risk to Exchange Server or Office 365:

  • In Exchange Server, authentication configuration settings for client endpoints are not shared across protocols.  Supported authentication mechanisms are configured independently on a per protocol endpoint basis.  Multi-Factor Authentication in Exchange Server can be enabled in multiple ways, including OAuth.  Before implementing MFA with Exchange Server it is important that all client protocol touchpoints are identified and configured correctly.
  • In Office 365, when Azure MFA is enabled within a tenant, it is applied to all supported client protocol endpoints. Exchange Web Services (EWS) is an Office 365 client endpoint which is enabled. Outlook on the Web (OWA) and Outlook client access are also enabled in Office 365. Office 365 users may experience a small delay in activation of MFA on all protocols due to propagation of configuration settings and credential cache expiration.

Additional information on enabling OAuth in Office 365 and Exchange Server can be found on Office.com and MSDN.

The Exchange Team

Comments (6)

  1. Sultan Rayes says:

    What about Exchange on premises? Any plans to support MFA for all protocol using Azure MFA or 3rd party?

  2. Sultan, we have previously stated we are working on bringing Modern Auth to on-prem Exchange.

  3. On the first link (enabling OAuth in Office 365) what’s the ‘downside’? Does it prevent non MFA clients connecting? Why isn’t it defaulted to on?

  4. TAM says:

    My client would like to know how they can be sure that their Exchange Server protocol touchpoints are “identified and configured correctly.”

  5. Zoltan Erszenyi says:

    Please define “properly configured”.

  6. Engineer says:

    In skype for business users are prompted to type in exchange credentials after 5 hours of inactivity. How to stop this?
    Addsync + MFA

Skip to main content