Administration & Security 2026 IT systems house
Modern Authentication & MFA for On-Prem Exchange
Introduced ADFS with an external identity provider to secure the on-prem Exchange Server SE with Modern Authentication (OAuth 2.0) and TOTP MFA — away from Basic Auth.
- ADFS
- Exchange Server SE
- OAuth 2.0
- TOTP/MFA
- Windows Server
Status & progress
Completed Duration: ~2 weeks
Completed
- Introduced ADFS as the central federation service
- Connected an external identity provider (federation/claims trust)
- Enabled Modern Authentication (OAuth 2.0) for Exchange SE
- Disabled Basic Authentication consistently
- Enforced TOTP as the second factor
- Secured access for OWA, Outlook & mobile clients
Starting point
Access to the on-prem Exchange ran on Basic Authentication — username and password, without a second factor. For a mail server reachable from the internet that is a well-known entry point: password spraying and stolen credentials lead straight into the mailbox.
Solution
A federation and MFA layer placed in front of Exchange.
- ADFS introduced as the central federation service.
- External identity provider connected as a federation/claims trust.
- Modern Authentication (OAuth 2.0) enabled for Exchange Server SE — Outlook, OWA and mobile clients authenticate with tokens instead of a plaintext password.
- Basic Auth switched off consistently.
- TOTP enforced as the second factor (authenticator app).
Result
The mail server is far harder to attack: no more Basic Auth, every access through modern tokens and a second factor. For users it stays simple — sign in, confirm MFA, done.
Sounds like something you need too?
Start a project