Demystifying Certificate Based Authentication with ActiveSync in Exchange 2013 and 2016 (On-Premises)

Some of the more complicated support calls we see are related to Certificate Based Authentication (CBA) with ActiveSync. This post is intended to provide some clarifications of this topic and give you troubleshooting tips.What is Certificate Based Authentication (CBA)? Instead of using Basic or WIA (Windows Integrated Authentication), the device will have a client (user)…


Multi-Factor Authentication in Exchange and Office 365

Multi-Factor Authentication (MFA), which includes Two-factor authentication (2FA), in Exchange Server and Office 365, is designed to protect against account and email compromise. Microsoft has evaluated recent reports of a potential bypass of 2FA. We have determined that the technique described is not a vulnerability and the potential bypass does not exist on properly configured…


Certificate-Based Authentication (CBA) for Exchange Online

Update 12/15/2016: We updated this post to reflect the General Availability of the feature. On-premises Exchange environments support the ability for certain mobile apps to utilize certificate-based authentication (CBA). Today, we are pleased to announce that CBA is available for customers using Office 365 Enterprise, Business, Education, and Government plans. This does not include Office…


Exchange 2016 Coexistence with Kerberos Authentication

With the release of Exchange Server 2016, I thought it would be best to document our guidance around utilizing Kerberos authentication for MAPI clients. Like with the last two releases, the solution leverages deploying an Alternate Service Account (ASA) credential so that domain-joined and domain-connected Outlook clients, as well as other MAPI clients, can utilize…

2

Enabling BitLocker on Exchange Servers

The Exchange Preferred Architecture, for both Exchange Server 2013 and Exchange Server 2016, recommends enabling BitLocker on fixed data drives that store Exchange database files. Over the years, there have been a number of questions regarding how BitLocker should be enabled on servers. However, before we discuss that, I think it is important to provide…

2

No new security vulnerability in Outlook Web Access (OWA)

Recently reports of a new security vulnerability in OWA, a component of Microsoft Exchange Server, have been circulated throughout the internet. Microsoft considers the security of our products to be a top responsibility to our customers. We have investigated these reports and believe that a properly deployed and secured Exchange Server is not susceptible to…


Exchange TLS & SSL Best Practices

Whether you are running Exchange on-premises, in the cloud, or somewhere in between, we know that security is a top priority. Microsoft is committed to giving you the information needed to make informed decisions on how to properly secure your environment. It has been suggested by some external parties that customers need to disable TLS…


Exchange Online Advanced Threat Protection is now available

Just a quick note that we have released a new service that some of you might be interested in, called Exchange Online Advanced Threat Protection. This is a complementary service to already existing  Exchange Online Protection (EOP) and extends to additional types of advanced threats. To learn more, head over here: Exchange Online Advanced Threat…

1

Take Advantage of EOPs new Bulk Mail Detection

Bulk mail is often mistaken for spam and is starting to become a larger problem for organizations. EOP is not very aggressive out of the box when it comes to bulk mail because this type of mail falls into a grey area. Some organizations will want to receive this type of mail, whereas others will…


Protecting against Rogue Administrators

Occasionally I am asked the following question – how can I protect the messaging environment from a rogue administrator? There are essentially two concerns being asked in this question: How do I protect the data from being deleted by a rogue administrator? How do I protect the data from being accessed and/or altered by a…

3