Microsoft just announced a new Hybrid Modern Authentication (HMA) support feature for Exchange on-premises. This new capability allows HMA users to access on-premises applications using authorization tokens obtained from the cloud starting with the next set of cumulative updates for Exchange 2013 and Exchange 2016, which are CU8 for Exchange Server 2016, and CU19 for Exchange Server 2013.
Here’s some more information about HMA and what the new support offering means for users.
What is Hybrid Modern Authentication?
Basically, HMA lets Outlook obtain OAuth tokens from Azure AD and then have them accepted with Exchange on-premises, which will also provide mailbox access. Each user can choose exactly what is required to obtain those tokens. You can make it as easy as entering a username and password, or as complicated as a fingerprint or eyeball scanning. From there, the program redirects back to AAD, which returns the Access and Refresh tokens to Outlook. There are a few different benefits of this new ability. First, it gives you access to some more secure methods than those currently available with Exchange. It also ensures that your auth flow is the same for both cloud and on-premises users, providing an improved and consistent user experience.
How do you use HMA?
If you want to use Hybrid Modern Authentication with advanced Azure features, you’ll need licenses for both Exchange and Azure. You can try out HMA in a test or lab environment before doing it in production so you can be sure you have all the pre-reqs set up properly before it impacts your end users. Basically, you need to sync your entire on-premises directory to AAD and ensure that all user networks can reach AAD efficiently. But there are a few specific advanced settings you need to configure as well, so check Microsoft’s instructions for the exact instructions and troubleshooting suggestions.
Photo credit: Freerange Stock