Skip to content
  • Blog
  • Events
  • Help
  • Careers
  • Contact
New Signature
  • About
      • Company

        Cognizant Microsoft Business Group is dedicated to changing the way businesses innovate, transform and run based on a unique cloud operating model. You will now be redirected to our new microsite to learn more.

        View Company

      • Awards

        As a company, we are regularly recognized within the IT industry as well as the communities we serve.

        View All Awards
      • News

        Read the most up-to-date corporate announcements, Microsoft technology updates, innovative business solutions and learn more about how the Cognizant Microsoft Business Group can take your business even farther.

        View News

      • Partners

        New Signature works with a number of outstanding technology companies to deliver the best experiences to our customers.

        View Partners
      • Leadership

        Cognizant Microsoft Business Group’s executive team is comprised of innovative leaders with proven experience and deep industry expertise. You will now be redirected to our new microsite to learn more.

        View Leadership

      • Industries

        Our solutions are tailored to empower organizations across a wide range
        of industries.

        View Industry Experience
    Close
  • Solutions
      • Intelligent Enterprise
        Solutions

        Going Digital
        Unleash cloud capability, deliver change and compete at speed with a Microsoft digital operating model, enabling you to work more efficiently as you transform your IT environment. Learn More

      • Featured Solution

        Secure Cloud
        In a world of constant threat, ensuring that your underlying cloud platform is protected is the first step on your organization’s journey towards a secure, compliant operating environment. Learn More
      • Intelligent Workplace
        Solutions

      • Secure Workplace

        Work Anywhere

        Endpoint Health

        Identity Health

        Teamwork Support



        VIEW WORKPLACE SOLUTIONS
      • Intelligent Cloud
        Solutions

      • App Factory

        Azure Accelerator

        Azure Launchpad

        Azure Launchpad for DevOps

        Application Health

        Platform Health

        VIEW ClOUD SOLUTIONS
    Close
  • Services
      • Begin your journey towards becoming a digital business with GO, our unique end-to-end framework based on the Microsoft Cloud Adoption Framework.

        GO DIGITAL OPERATING MODEL
      • Intelligent Enterprise

      • Consulting

        We go beyond just technology to help your organization understand how digital can help you uniquely differentiate and better serve your employees and customers.

        VIEW ENTERPRISE SERVICES
      • Intelligent Workplace

        • Identity

          Identity is your new first-line-of-defense. It’s vital to your users and clients that your identity platform is properly configured and secured.

          Endpoint

          Whether your devices are on-premises or remote, personal or business-owned, we can ensure they are properly managed and protected.

          Teamwork

          Today’s workforce is collaborating than ever before.  We can empower your current teams with tomorrow’s progressive technologies.

          VIEW WORKPLACE SERVICES
        • Intelligent Cloud

          • Platform

            The cloud is no longer some future-state. It’s the here and now. Adopting a cloud-first platform is one of the best ways to maintain a future-proofed competitive advantage.

            Applications

            We build cloud-native apps and modernize legacy systems with the power of Azure to give your organization a competitive edge.

            Data

            We can help your organization create secure, scalable data platforms to deliver simpler and more sophisticated insights to your business.

            VIEW CLOUD SERVICES
        Close
      • Client Stories
          • Case Studies

            Browse a comprehensive list of companies who have created successful partnerships and experienced transformative solutions with New Signature.

            View All Case Studies

          • Featured Case Study TalkTalk Modern Workplace

            New Signature worked with TalkTalk to define a new Modern Workplace solution based on Microsoft 365, which kept the user firmly at the center of the transformation.
            View Case Study

          • Testimonials

            We love transforming our customers businesses, take a look at what they have to say about New Signature.

            View Testimonials

          • Featured Testimonial Davis Construction

            With New Signature’s help, Davis was able to take a progressive step forward by migrating their private branch exchange (PBX) phone system to a Voice of Internet Protocol (VoIP) system.
            View Testimonial

        Close
      • Explore
          • Guides & Ebooks

            Dive deeper into education with your team by leveraging our expert-developed guides and eBooks.

            View All Guides & Ebooks

          • Infographics

            Rich with statistics and information, our infographics are great tools for quick but insightful learning.

            View All Infographics
          • Podcast: Office Explorers

            Join Kat and Rob monthly as they chat with New Signature experts and explore the world of O365.

            Listen to Podcasts

          • Videos

            Visit our videos stream to access recorded webinars, service information and to learn more about us.

            WATCH ALL VIDEOS
          • Flyers

            Searching for information about our services? Our flyers are a great takeaway for all those details.

            VIEW ALL FLYERS

          • Featured Stream

            Learn more about the tooling and expertise required to unlock productivity and mobilize your teams.

            MODERN WORKPLACE
        Close
        Close
      Blog

      How To Incorporate Azure MFA

      New Signature / Blog / How To Incorporate Azure MFA
      December 12, 2018December 19, 2018| Don Young
      • Facebook
      • Twitter
      • LinkedIn
      • Print

      As most organizations move to Office 365, there is normally a period of co-existence.  During this time, organizations may choose to take advantage of Azure MFA prior to the completion of a mailbox migration.  In these cases, organizations may want to incorporate Azure MFA for their current on-premises Exchange OWA environment.

      This can be accomplished by publishing the on-premises OWA as an enterprise application in Azure.

      Example Environment Specifics Used Below:

      • On-premises App Proxy:
        • AAP01
        • AAP02 (having a second is recommended)
      • Exchange CAS:
        • CAS01
        • CAS02
      • CAS Array:
        • CAS-Array-ASA
      • Active Directory Forest:
        • local
      • External namespace:
        • com

      Using Alternate Service Account (ASA)

      1. This option assumes you have already setup an ASA for Exchange using: https://docs.microsoft.com/en-us/exchange/architecture/client-access/kerberos-auth-for-load-balanced-client-access?view=exchserver-2019
      2. In on-premises AD, set an SPN of ‘http/mail.root.local’ on CAS-Array-ASA
        1. Open a command prompt with admin rights
        2. Run: setspn -A http/mail.root.local CAS-Array-ASA
        3. Confirm the setting took effect by running: setspn -L CAS-Array-ASA
      3. In on-premises AD, set KCD (Kerberos Constrained Delegation) on AAP01 and AAP02 to CAS-Array-ASA, ‘http/CAS-Array-ASA.root.local’
        1. Open AD Users and Computers
        2. Search for AAP01 and go to its properties
        3. On the delegation tab, choose ‘Trust this computer for delegation to specified services only’
        4. Select ‘Use any authentication protocol’
        5. Click the Add button, then the ‘Users or Computers’ button
        6. Search for ‘CAS-Array-ASA’
        7. Scroll down and select the ‘http’ service before clicking the OK button
        8. Click OK to close the properties for AAP01
        9. Search for AAP02 and go to its properties
        10. On the delegation tab, choose ‘Trust this computer for delegation to specified services only’
        11. Select ‘Use any authentication protocol’
        12. Click the Add button, then the ‘Users or Computers’ button
        13. Search for ‘CAS-Array-ASA’
        14. Scroll down and select the ‘http’ service before clicking the OK button
        15. Click OK to close the properties for AAP02
        16. Example:
      4. In Azure AD, under Application Proxy, create a new Connector Group named something like ‘On-PremOWAConnector’
      5. Add AAP01 and AAP02 to the newly created ‘On-PremOWAConnector’ Connector Group
      6. In Azure AD, create a new Enterprise Application
      7. Use the following settings:
        1. Example name: On-premises OWA
        2. Internal URL: https://mail.root.local/owa
        3. External URL: https://mail-mydomain.msappproxy.net/owa
        4. Pre Authentication: Azure Active Directory
        5. Connector Group: On-premOWAConnector (or whatever it was named earlier)
        6. Backend Application Timeout: Default
        7. Use HTTP-Only Cookie: No
        8. Translate URLs in Headers: No
        9. Translate URLs in Application Body: No
        10. Example:

      8. Under the settings of the new Enterprise Application set the following:
        1. Users and Groups
          1. Add the users and/or groups that should be able to use this application
        2. Single sign-on

          1. Single Sign-on Mode: Integrated Windows Authentication
          2. Internal Application SPN: http/CAS-Array-ASA.root.local
          3. Delegated Login Identity: User principal name
          4. Example:
      1. Using the ‘Test Application’ button on the properties tab of the Enterprise Application, ensure the on-premises OWA page comes up using Azure MFA
      2. With the Enterprise Application confirmed working, the chosen redirection method for https://mail.mydomain.com and https://mail.mydomain.com/owa can be updated to route traffic to https://mail-mydomain.msappproxy.net/owa

      Using a Single Enterprise Application with a Single CAS

      1. In on-premises AD, set an SPN of ‘http/CAS01.root.local’ on CAS01
        1. Open a command prompt with admin rights
        2. Run: setspn -A http/CAS01.root.local CAS01
        3. Confirm the setting took effect by running: setspn -L CAS01
      2. In on-premises AD, set KCD (Kerberos Constrained Delegation) on AAP01 to CAS01, ‘http/CAS01.root.local’
        1. Open AD Users and Computers
        2. Search for AAP01 and go to its properties
        3. On the delegation tab, choose ‘Trust this computer for delegation to specified services only’
        4. Select ‘Use any authentication protocol’
        5. Click the Add button, then the ‘Users or Computers’ button
        6. Click OK to close the properties for AAP01
        7. Search for ‘CAS01’
        8. Scroll down and select the ‘http’ service before clicking the OK button
        9. Search for AAP02 and go to its properties
        10. On the delegation tab, choose ‘Trust this computer for delegation to specified services only’
        11. Select ‘Use any authentication protocol’
        12. Click the Add button, then the ‘Users or Computers’ button
        13. Search for ‘CAS01’
        14. Scroll down and select the ‘http’ service before clicking the OK button
        15. Click OK to close the properties for AAP02
        16. Example:

      3. In Azure AD, under Application Proxy, create a new Connector Group named something like ‘On-premOWAConnector’
      4. Add APP01 and AAP02 to the newly created ‘On-premOWAConnector’ Connector Group
      5. In Azure AD, create a new Enterprise Application
      6. Use the following settings:
        1. Example name: On-premises OWA
        2. Internal URL: https://cas01.root.local/owa
        3. External URL: https://mail-mydomain.msappproxy.net/owa
        4. Pre Authentication: Azure Active Directory
        5. Connector Group: On-premOWAConnector (or whatever it was named earlier)
        6. Backend Application Timeout: Default
        7. Use HTTP-Only Cookie: No
        8. Translate URLs in Headers: No
        9. Translate URLs in Application Body: No
        10. Example:

      7. Under the settings of the new Enterprise Application set the following:
        1. Users and Groups
          1. Add the users and/or groups that should have access
        2. Single sign-on

          1. Single Sign-on Mode: Integrated Windows Authentication
          2. Internal Application SPN: http/cas01.root.local
          3. Delegated Login Identity: User principal name
          4. Example:

      1. Using the ‘Test Application’ button on the properties tab of the Enterprise Application, ensure the on-premises OWA page comes up using Azure MFA
      2. With the Enterprise Application confirmed working, the chosen redirection method for https://mail.mydomain.com and https://mail.mydomain.com/owa can be updated to route traffic to https://mail-mydomain.msappproxy.net/owa

      Note: In this scenario, should CAS01 become unavailable, OWA via https://mail.mydomain.com and https://mail.mydomain.com/owa will also become unavailable and the redirection will need to be updated

      Using 2 Enterprise Applications and 2 CAS

      1. In on-premises AD, set an SPN of ‘http/CAS01.root.local’ on CAS01 and an SPN of ‘http/CAS02.root.local’ on CAS02
        1. Open a command prompt with admin rights
        2. Run: setspn -A http/CAS01.root.local CAS01
        3. Confirm the setting took effect by running: setspn -L CAS01
        4. Run: setspn -A http/CAS02.root.local CAS02
        5. Confirm the setting took effect by running: setspn -L CAS02
      2. In on-premises AD, set KCD (Kerberos Constrained Delegation) on AAP01 to CAS01, ‘http/CAS01.root.local’ and set KCD on AAP02 to CAS02, ‘http/CAS02.root.local’
        1. Open AD Users and Computers
        2. Search for AAP01 and go to its properties
        3. On the delegation tab, choose ‘Trust this computer for delegation to specified services only’
        4. Select ‘Use any authentication protocol’
        5. Click the Add button, then the ‘Users or Computers’ button
        6. Search for ‘CAS01’
        7. Scroll down and select the ‘http’ service before clicking the OK button
        8. Click the Add button again
        9. Click the ‘Users or Computers’ button and search for ‘CAS02’
        10. Scroll down and select the ‘http’ service before clicking the OK button
        11. Click OK to close the properties for AAP01
        12. Search for AAP02 and go to its properties
        13. On the delegation tab, choose ‘Trust this computer for delegation to specified services only’
        14. Select ‘Use any authentication protocol’
        15. Click the Add button, then the ‘Users or Computers’ button
        16. Search for ‘CAS01’
        17. Scroll down and select the ‘http’ service before clicking the OK button
        18. Click the Add button again
        19. Click the ‘Users or Computers’ button and search for ‘CAS02’
        20. Scroll down and select the ‘http’ service before clicking the OK button
        21. Click OK to close the properties for AAP02
        22. Example:

      3. In Azure AD, under Application Proxy, create a new Connector Group named something like ‘On-PremOWAConnector’
      4. Add AAP01 and AAP02 to the newly created ‘On-PremOWAConnector’ Connector Group
      5. In Azure AD, create a new Enterprise Application
      6. Use the following settings:
        1. Example name: On-premises OWA 1
        2. Internal URL: https://CAS01.root.local/owa
        3. External URL: https://mail1-mydomain.msappproxy.net/owa
        4. Pre Authentication: Azure Active Directory
        5. Connector Group: On-premOWAConnector (or whatever it was named earlier)
        6. Backend Application Timeout: Default
        7. Use HTTP-Only Cookie: No
        8. Translate URLs in Headers: No
        9. Translate URLs in Application Body: No
        10. Example:

      7. Under the settings of the new Enterprise Application set the following:
        1. Users and Groups
          1. Add the users and/or groups that should be able to use this application
        2. Single sign-on

          1. Single Sign-on Mode: Integrated Windows Authentication
          2. Internal Application SPN: http/CAS01.root.local
          3. Delegated Login Identity: User principal name
          4. Example:

      8. Using the ‘Test Application’ button on the properties tab of the Enterprise Application, ensure the on-premises OWA page comes up using Azure MFA

      9. In Azure AD, create a new Enterprise Application10. Use the following settings:

      10. Use for the following settings:

      1. Internal URL: https://CAS02.root.local/owa
      2. External URL: https://mail2-mydomain.msappproxy.net/owa
      3. Pre Authentication: Azure Active Directory
      4. Connector Group: OWA (or whatever it was named earlier)
      5. Backend Application Timeout: Default
      6. Use HTTP-Only Cookie: No
      7. Translate URLs in Headers: No
      8. Translate URLs in Application Body: No
      9. Example:
        11. Under the settings of the new Enterprise Application set the following:

        1. Users and Groups
          1. Add the users and/or groups that should be able to use this application
        2. Single sign-on

          1. Single Sign-on Mode: Integrated Windows Authentication
          2. Internal Application SPN: http/CAS02.root.local
          3. Delegated Login Identity: User principal name
          4. Example:

      12. Using the ‘Test Application’ button on the properties tab of the Enterprise Application, ensure the on-premises OWA page comes up using Azure MFA.

      13. With both Enterprise Applications confirmed working, the chosen redirection method for https://mail.mydomain.com and https://mail.mydomain.com/owa can be updated to route traffic to https://mail1-mydomain.msappproxy.net/owa and https://mail2-mydomain.msappproxy.net/owa in a ‘round robin’ fashion

      Note: In this scenario, should CAS01 or CAS02 become unavailable, the affected server will need to be removed as a possible URL redirection on the load-balancing solution.

      Categories
      Technical Reviews
      Contact New Signature

      Blog Posts

      • Cognizant Microsoft Business Group Achieves New Microsoft Advanced Specialization 
      • Azure Sentinel Workshop
      • How to Modernize Your Apps Securely in Azure – Webinar
      • Deploy Kubernetes on Azure, AWS and GCP with Terraform using Azure DevOps

      Events

      Thu 28

      Power Platform Series: Drive Organizational Productivity with Power Virtual Agents

      January 28 @ 10:00 am - 10:45 am EST
      Feb 16

      Cognizant’s Experience Lab for Continuous Testing with Azure

      February 16 @ 12:00 pm - 2:00 pm EST

      View More

      New Signature
      New Signature HQ
      901 K Street NW, Suite 450
      Washington, DC 20001
      Phone: 202-452-5923
      New Signature Canada HQ
      7th Floor, 5140 Yonge Street
      Toronto, ON M2N 7J8
      Phone: 416-971-4267
      New Signature UK HQ
      57 Bermondsey Street
      London SE1 3XJ
      Phone: +44 (0) 845-402-1752

      About

      • Company
      • Awards
      • News
      • Leadership
      • Partners
      • Industries

      Solutions

      • Intelligent Enterprise Solutions
      • Intelligent Workplace Solutions
      • Intelligent Cloud Solutions

      Services

      • GO
      • Intelligent Enterprise
      • Intelligent Workplace
      • Intelligent Cloud

      Client Stories

      • Client Stories
      • Testimonials

      Explore

      • Guides & Ebooks
      • Podcasts
      • Flyers
      • Infographics
      • Videos
      Copyright © 2021 New Signature
      • Blog
      • Events
      • Careers
      • Help
      • Anti Slavery
      • Privacy Policy
      • Contact
      • About
        • Company
        • Awards
        • News
        • Leadership
        • Partners
        • Industries
      • Services
        • GO
        • Intelligent Enterprise
        • Intelligent Workplace
        • Intelligent Cloud
      • Client Stories
        • Case Studies
        • Testimonials
      • Technologies
      • Explore
        • Guides & Ebooks
        • Infographics
        • Podcast: Office Explorers
        • Videos
        • Flyers
      • Blog
      • Events
      • Careers
      • Contact
      • Search
      Cookie Settings
      New Signature uses "Required Cookies" to run our website, "Functional Cookies" used by third parties to personalise marketing, including social media features.

      Change your preferences by clicking the “Cookie Settings” link at the bottom of every page. Learn more about cookies in our Cookie Policy and our Privacy Policy. By clicking the “Accept Cookies” button below, you consent to our use of cookies.

      Please note that “Required Cookies” will be set regardless of your consent.
      Cookie SettingsAccept Cookies
      Privacy & Cookies Policy
      Performance

      Performance Cookies provide Content Delivery Network assets that deliver faster site content delivery capabilities.

      Required

      These cookies are required mainly in order to deliver Multilanguage site capabilities.

      Functional

      Functional Cookies allow us to provided advanced media capabilities including videos, surveys and other multimedia capabilities.

      Disabling Functional cookies will block the playing of videos and other multimedia site components.

      Targeting

      Targeting Cookies are used to capture user information in order for New Signature to deliver better user experiences.

      Save & Accept