Skip to content
All projects
Administration & Security 2026 IT systems house

Modern Authentication & MFA for On-Prem Exchange

Introduced ADFS with an external identity provider to secure the on-prem Exchange Server SE with Modern Authentication (OAuth 2.0) and TOTP MFA — away from Basic Auth.

  • ADFS
  • Exchange Server SE
  • OAuth 2.0
  • TOTP/MFA
  • Windows Server

Status & progress

Completed Duration: ~2 weeks

Completed

  • Introduced ADFS as the central federation service
  • Connected an external identity provider (federation/claims trust)
  • Enabled Modern Authentication (OAuth 2.0) for Exchange SE
  • Disabled Basic Authentication consistently
  • Enforced TOTP as the second factor
  • Secured access for OWA, Outlook & mobile clients

Starting point

Access to the on-prem Exchange ran on Basic Authentication — username and password, without a second factor. For a mail server reachable from the internet that is a well-known entry point: password spraying and stolen credentials lead straight into the mailbox.

Solution

A federation and MFA layer placed in front of Exchange.

  • ADFS introduced as the central federation service.
  • External identity provider connected as a federation/claims trust.
  • Modern Authentication (OAuth 2.0) enabled for Exchange Server SE — Outlook, OWA and mobile clients authenticate with tokens instead of a plaintext password.
  • Basic Auth switched off consistently.
  • TOTP enforced as the second factor (authenticator app).

Result

The mail server is far harder to attack: no more Basic Auth, every access through modern tokens and a second factor. For users it stays simple — sign in, confirm MFA, done.

Sounds like something you need too?

Start a project