MFA for OWA Login

Note: MFA for OWA logins requires the Professional Edition of ADSelfService Plus with Endpoint MFA..

With this setting, you can enable MFA for Outlook on the Web (OWA) and Exchange admin center logins to add an additional layer of security to your Exchange environment. Let's see how you can enable MFA with ADSelfService Plus:

MFA for OWA Login
  1. The user attempts to log in to OWA or the Exchange admin center.
  2. They are asked to complete the primary authentication in OWA.
  3. If this is successful, OWA passes a request to the ADSelfService Plus MFA Connector, which informs ADSelfService Plus to go ahead with the rest of the authentication factors.
  4. If the user completes all the required authentication factors successfully, they are logged in to OWA or the Exchange admin center.
Note: MFA for OWA logins is supported for the following Exchange versions:

To enable MFA for OWA, follow these steps:

Before you start:

Step 1: Configuring MFA for OWA

  1. Go to Configuration > Self-Service > Multi-factor Authentication > MFA for OWA Login.
  2. Click the Choose the Policy drop-down and select a policy. This will determine which authentication methods are enabled for which sets of users.
  3. Note: ADSelfService Plus allows you to create OU- and group-based policies. If you have not created a policy yet, go to Configuration > Self-Service > Policy Configuration > Add New Policy. Click Select OUs/Groups and make a selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
  4. In the MFA for OWA Login section, check the Enable __ authentication factor box, select the number of authentication methods, and specify which ones you'd like to use from the drop-down.
  5. Note:
    • The OWA site must utilize HTTPS for FIDO Passkeys to work.
    • SAML authenticator is not supported in MFA for OWA.
  6. Click Save Settings.

Step 2: Install ADSelfService Plus MFA Connector

The IIS MFA extension must be installed in Exchanger Server to enable MFA for OWA and Exchange admin center logins. It triggers the request for the completion of other authentication factors after the primary password authentication is successful.

  1. Go to Configuration > Self-Service > Multi-factor Authentication > MFA for Endpoint.
  2. Navigate to MFA for OWA and click on the helpIcon (help) icon.
  3. Download the ADSelfService Plus MFA Connector from the pop-up that appears.
  4. Copy the extension file (AdsspOWAIISModule.zip) to the Windows server that you have configured as the Exchange server. Extract the ZIP file’s content and save it in a location.
  5. Open PowerShell (x64) as an administrator and navigate to the folder where the content of the extension files is located.
  6. Execute the following command:

PS C:\> .\setupIISMFAModule.ps1 Install

Customizing the virtual directory for ADSelfService Plus Connector

By default, the ADSelfService Plus IIS MFA Connector files are created in a virtual directory under the default web site in IIS Manager. If you want to modify your default web site to redirect to any particular site (for example: If your default web site is selfservice.com and you have configured a redirect URL to selfservice.com/owa) you can change the virtual directory to owa using the command below
C:\>setupIISMFAModule.ps1 install -virtualDirectory "owa"

Uninstall and update ADSelfService Plus MFA Connector

  1. Open PowerShell (x64) as an administrator and navigate to the folder where the content of the extension files content is located (by default, it is stored in C:\Program Files\ManageEngine\ADSelfService Plus MFA Connector).
  2. To uninstall the extension, execute the following command:
    PS C:\> .\setupIISMFAModule.ps1 Uninstall
  3. To update the extension, execute the following command:
    PS C:\> .\setupIISMFAModule.ps1 Update
MFA for OWA Login
Note: If ADSelfService Plus is down or unable to be reached, users will not be able to access their email, because they won't be unable to complete authentication. You can enable users to bypass MFA in such situations. Refer to the Advanced settings for more information.

Copyright © 2024, ZOHO Corp. All Rights Reserved.