As most organizations move to Office 365, there is normally a period of co-existence.  During this time, organizations may choose to take advantage of Azure MFA prior to the completion of a mailbox migration.  In these cases, organizations may want to incorporate Azure MFA for their current on-premises Exchange OWA environment.

This can be accomplished by publishing the on-premises OWA as an enterprise application in Azure.

Example Environment Specifics Used Below:

  • On-premises App Proxy:
    • AAP01
    • AAP02 (having a second is recommended)
  • Exchange CAS:
    • CAS01
    • CAS02
  • CAS Array:
    • CAS-Array-ASA
  • Active Directory Forest:
    • local
  • External namespace:
    • com

Using Alternate Service Account (ASA)

  1. This option assumes you have already setup an ASA for Exchange using: https://docs.microsoft.com/en-us/exchange/architecture/client-access/kerberos-auth-for-load-balanced-client-access?view=exchserver-2019
  2. In on-premises AD, set an SPN of ‘http/mail.root.local’ on CAS-Array-ASA
    1. Open a command prompt with admin rights
    2. Run: setspn -A http/mail.root.local CAS-Array-ASA
    3. Confirm the setting took effect by running: setspn -L CAS-Array-ASA
  3. In on-premises AD, set KCD (Kerberos Constrained Delegation) on AAP01 and AAP02 to CAS-Array-ASA, ‘http/CAS-Array-ASA.root.local’
    1. Open AD Users and Computers
    2. Search for AAP01 and go to its properties
    3. On the delegation tab, choose ‘Trust this computer for delegation to specified services only’
    4. Select ‘Use any authentication protocol’
    5. Click the Add button, then the ‘Users or Computers’ button
    6. Search for ‘CAS-Array-ASA’
    7. Scroll down and select the ‘http’ service before clicking the OK button
    8. Click OK to close the properties for AAP01
    9. Search for AAP02 and go to its properties
    10. On the delegation tab, choose ‘Trust this computer for delegation to specified services only’
    11. Select ‘Use any authentication protocol’
    12. Click the Add button, then the ‘Users or Computers’ button
    13. Search for ‘CAS-Array-ASA’
    14. Scroll down and select the ‘http’ service before clicking the OK button
    15. Click OK to close the properties for AAP02
    16. Example:
  4. In Azure AD, under Application Proxy, create a new Connector Group named something like ‘On-PremOWAConnector’
  5. Add AAP01 and AAP02 to the newly created ‘On-PremOWAConnector’ Connector Group
  6. In Azure AD, create a new Enterprise Application
  7. Use the following settings:
    1. Example name: On-premises OWA
    2. Internal URL: https://mail.root.local/owa
    3. External URL: https://mail-mydomain.msappproxy.net/owa
    4. Pre Authentication: Azure Active Directory
    5. Connector Group: On-premOWAConnector (or whatever it was named earlier)
    6. Backend Application Timeout: Default
    7. Use HTTP-Only Cookie: No
    8. Translate URLs in Headers: No
    9. Translate URLs in Application Body: No
    10. Example:

  8. Under the settings of the new Enterprise Application set the following:
    1. Users and Groups
      1. Add the users and/or groups that should be able to use this application
    2. Single sign-on

      1. Single Sign-on Mode: Integrated Windows Authentication
      2. Internal Application SPN: http/CAS-Array-ASA.root.local
      3. Delegated Login Identity: User principal name
      4. Example:
  1. Using the ‘Test Application’ button on the properties tab of the Enterprise Application, ensure the on-premises OWA page comes up using Azure MFA
  2. With the Enterprise Application confirmed working, the chosen redirection method for https://mail.mydomain.com and https://mail.mydomain.com/owa can be updated to route traffic to https://mail-mydomain.msappproxy.net/owa

Using a Single Enterprise Application with a Single CAS

  1. In on-premises AD, set an SPN of ‘http/CAS01.root.local’ on CAS01
    1. Open a command prompt with admin rights
    2. Run: setspn -A http/CAS01.root.local CAS01
    3. Confirm the setting took effect by running: setspn -L CAS01
  2. In on-premises AD, set KCD (Kerberos Constrained Delegation) on AAP01 to CAS01, ‘http/CAS01.root.local’
    1. Open AD Users and Computers
    2. Search for AAP01 and go to its properties
    3. On the delegation tab, choose ‘Trust this computer for delegation to specified services only’
    4. Select ‘Use any authentication protocol’
    5. Click the Add button, then the ‘Users or Computers’ button
    6. Click OK to close the properties for AAP01
    7. Search for ‘CAS01’
    8. Scroll down and select the ‘http’ service before clicking the OK button
    9. Search for AAP02 and go to its properties
    10. On the delegation tab, choose ‘Trust this computer for delegation to specified services only’
    11. Select ‘Use any authentication protocol’
    12. Click the Add button, then the ‘Users or Computers’ button
    13. Search for ‘CAS01’
    14. Scroll down and select the ‘http’ service before clicking the OK button
    15. Click OK to close the properties for AAP02
    16. Example:

  3. In Azure AD, under Application Proxy, create a new Connector Group named something like ‘On-premOWAConnector’
  4. Add APP01 and AAP02 to the newly created ‘On-premOWAConnector’ Connector Group
  5. In Azure AD, create a new Enterprise Application
  6. Use the following settings:
    1. Example name: On-premises OWA
    2. Internal URL: https://cas01.root.local/owa
    3. External URL: https://mail-mydomain.msappproxy.net/owa
    4. Pre Authentication: Azure Active Directory
    5. Connector Group: On-premOWAConnector (or whatever it was named earlier)
    6. Backend Application Timeout: Default
    7. Use HTTP-Only Cookie: No
    8. Translate URLs in Headers: No
    9. Translate URLs in Application Body: No
    10. Example:

  7. Under the settings of the new Enterprise Application set the following:
    1. Users and Groups
      1. Add the users and/or groups that should have access
    2. Single sign-on

      1. Single Sign-on Mode: Integrated Windows Authentication
      2. Internal Application SPN: http/cas01.root.local
      3. Delegated Login Identity: User principal name
      4. Example:

  1. Using the ‘Test Application’ button on the properties tab of the Enterprise Application, ensure the on-premises OWA page comes up using Azure MFA
  2. With the Enterprise Application confirmed working, the chosen redirection method for https://mail.mydomain.com and https://mail.mydomain.com/owa can be updated to route traffic to https://mail-mydomain.msappproxy.net/owa

Note: In this scenario, should CAS01 become unavailable, OWA via https://mail.mydomain.com and https://mail.mydomain.com/owa will also become unavailable and the redirection will need to be updated

Using 2 Enterprise Applications and 2 CAS

  1. In on-premises AD, set an SPN of ‘http/CAS01.root.local’ on CAS01 and an SPN of ‘http/CAS02.root.local’ on CAS02
    1. Open a command prompt with admin rights
    2. Run: setspn -A http/CAS01.root.local CAS01
    3. Confirm the setting took effect by running: setspn -L CAS01
    4. Run: setspn -A http/CAS02.root.local CAS02
    5. Confirm the setting took effect by running: setspn -L CAS02
  2. In on-premises AD, set KCD (Kerberos Constrained Delegation) on AAP01 to CAS01, ‘http/CAS01.root.local’ and set KCD on AAP02 to CAS02, ‘http/CAS02.root.local’
    1. Open AD Users and Computers
    2. Search for AAP01 and go to its properties
    3. On the delegation tab, choose ‘Trust this computer for delegation to specified services only’
    4. Select ‘Use any authentication protocol’
    5. Click the Add button, then the ‘Users or Computers’ button
    6. Search for ‘CAS01’
    7. Scroll down and select the ‘http’ service before clicking the OK button
    8. Click the Add button again
    9. Click the ‘Users or Computers’ button and search for ‘CAS02’
    10. Scroll down and select the ‘http’ service before clicking the OK button
    11. Click OK to close the properties for AAP01
    12. Search for AAP02 and go to its properties
    13. On the delegation tab, choose ‘Trust this computer for delegation to specified services only’
    14. Select ‘Use any authentication protocol’
    15. Click the Add button, then the ‘Users or Computers’ button
    16. Search for ‘CAS01’
    17. Scroll down and select the ‘http’ service before clicking the OK button
    18. Click the Add button again
    19. Click the ‘Users or Computers’ button and search for ‘CAS02’
    20. Scroll down and select the ‘http’ service before clicking the OK button
    21. Click OK to close the properties for AAP02
    22. Example:

  3. In Azure AD, under Application Proxy, create a new Connector Group named something like ‘On-PremOWAConnector’
  4. Add AAP01 and AAP02 to the newly created ‘On-PremOWAConnector’ Connector Group
  5. In Azure AD, create a new Enterprise Application
  6. Use the following settings:
    1. Example name: On-premises OWA 1
    2. Internal URL: https://CAS01.root.local/owa
    3. External URL: https://mail1-mydomain.msappproxy.net/owa
    4. Pre Authentication: Azure Active Directory
    5. Connector Group: On-premOWAConnector (or whatever it was named earlier)
    6. Backend Application Timeout: Default
    7. Use HTTP-Only Cookie: No
    8. Translate URLs in Headers: No
    9. Translate URLs in Application Body: No
    10. Example:

  7. Under the settings of the new Enterprise Application set the following:
    1. Users and Groups
      1. Add the users and/or groups that should be able to use this application
    2. Single sign-on

      1. Single Sign-on Mode: Integrated Windows Authentication
      2. Internal Application SPN: http/CAS01.root.local
      3. Delegated Login Identity: User principal name
      4. Example:

8. Using the ‘Test Application’ button on the properties tab of the Enterprise Application, ensure the on-premises OWA page comes up using Azure MFA

9. In Azure AD, create a new Enterprise Application10. Use the following settings:

10. Use for the following settings:

  1. Internal URL: https://CAS02.root.local/owa
  2. External URL: https://mail2-mydomain.msappproxy.net/owa
  3. Pre Authentication: Azure Active Directory
  4. Connector Group: OWA (or whatever it was named earlier)
  5. Backend Application Timeout: Default
  6. Use HTTP-Only Cookie: No
  7. Translate URLs in Headers: No
  8. Translate URLs in Application Body: No
  9. Example:
    11. Under the settings of the new Enterprise Application set the following:

    1. Users and Groups
      1. Add the users and/or groups that should be able to use this application
    2. Single sign-on

      1. Single Sign-on Mode: Integrated Windows Authentication
      2. Internal Application SPN: http/CAS02.root.local
      3. Delegated Login Identity: User principal name
      4. Example:

12. Using the ‘Test Application’ button on the properties tab of the Enterprise Application, ensure the on-premises OWA page comes up using Azure MFA.

13. With both Enterprise Applications confirmed working, the chosen redirection method for https://mail.mydomain.com and https://mail.mydomain.com/owa can be updated to route traffic to https://mail1-mydomain.msappproxy.net/owa and https://mail2-mydomain.msappproxy.net/owa in a ‘round robin’ fashion

Note: In this scenario, should CAS01 or CAS02 become unavailable, the affected server will need to be removed as a possible URL redirection on the load-balancing solution.