Solve the Outlook on the Web (OWA) MFA puzzle

Protecting an email server is one of the hardest jobs in IT security. Admins must defend the email server without full control over the devices connecting to it. And, even as Microsoft pushes Exchange Online, many organizations still run Exchange servers on-premise. If yours is one of them, here's how to enable multi-factor authentication (MFA) on remote email access without turning security into its own problem.

For years, receiving business email meant running a dedicated client like Outlook. Today, with teams remote or hybrid, users access the same messaging and calendaring functions through a web browser, often without noticing the difference.

Users win because they can access their email from any device without installing a special application. Organizations win too because they can centralize email access security and data management. But that convenience comes with real risk.

In Windows environments, web-based access to Exchange email runs through Outlook on the Web (formerly Outlook Web Access, or OWA), available on Microsoft 365, Exchange Server 2016, and Exchange Server 2019.

OWA connects to either Exchange Online (Microsoft's cloud-based email) or to an on-premise Exchange server via IIS, with authentication handled by the Exchange Client Access Service (CAS).

In the Microsoft 365 scenario, admins simply enable it as part of their subscription. However, with an on-premise Exchange server, organizations must configure the backend infrastructure and security for themselves.

Note: If you're managing email servers running Exchange Server 2013 or 2010, you're using the Outlook Web App. Learn how to secure remote access to an Exchange 2013 mailbox.

Many organizations choose to keep Exchange on-premise to:

• Avoid subscription costs associated with Exchange Online

• Keep email data on-site for compliance requirements

• Maintain compatibility with legacy applications

The trade-off is clear: on-premise OWA offers real convenience, but significantly raises access security risk.

Read more about securing access to an on-premises Microsoft Exchange server.

For years, threat actors have targeted online and on-premise OWA, and attacks keep getting more sophisticated.

In 2023, Microsoft revealed that a group called Storm-0558 had gained unauthorized access to the email systems of at least 25 organizations by forging authentication tokens used by online OWA and Outlook.com.

Before that, the 2021 “ProxyLogon” attack saw ten cybercrime groups target Exchange Servers with four zero-day exploits across an estimated 250,000 on-premise Exchange servers worldwide, hitting many SMBs.

Preventing unauthorized access to on-premise Exchange is non-negotiable. The problem is that implementing strong access controls like MFA can quickly become complex.

With on-premise servers, OWA is a public-facing connection. All that an attacker needs is a server address and one set of valid credentials, both of which are easy to get through research, phishing, or brute force.

Once inside, attackers can:

• Run internal phishing attacks against other employees

• Search for other credentials, such as those used to access the corporate VPN

• Exploit Microsoft Exchange Server vulnerabilities to obtain a remote shell (the ability to execute commands remotely)

• Use OWA as a bridgehead to compromise domain controllers and other internal infrastructure

Exchange is aging, complex software, which raises the likelihood of serious vulnerabilities. Patching them isn't always straightforward, and some organizations continue running older, more vulnerable versions. The underlying problem is consistent: the infrastructure that on-premise email access depends on is aging and increasingly difficult to defend.

Multi-factor authentication (MFA) is the logical solution to protect OWA access. Adding a second authentication factor before granting access dramatically lowers the risk of credential compromise.

The problem is that implementing MFA for OWA is complicated. There's no single, clean native Microsoft option. Typically, Microsoft pushes organizations toward Active Directory Federation Services (AD FS) or to Entra ID’s Application Proxy, both of which have drawbacks depending on your infrastructure and licensing situation.

Native Microsoft solutions add complexity to the network. This makes managing OWA access harder for admins, not easier. UserLock is designed to remove that friction.

UserLock MFA implementation is quick and easy:

1. Install the UserLock server

2. Deploy the MFA agent for OWA on your existing IIS server. No additional infrastructure required.

3. Configure granular MFA rules across existing AD users, groups, and organizational units (OUs).

When a user authenticates to OWA, they enter their Windows credentials as normal. UserLock's OWA agent then issues an MFA prompt.

IT can enable in up to two MFA methods per user, including:

• Push notifications

• Authenticator apps

• MFA security keys or hardware tokens (YubiKey, Token2, etc.)

UserLock extends MFA and access controls across multiple session types:

• Windows logins

• MFA for VPN

• IIS

• SaaS

• Remote Desktop (RDP & RD Gateway)

• VDI sessions

• Windows UAC prompts

Admins also get full control over MFA frequency with granular, session-based rules.

Read more about how to secure remote access to an Exchange mailbox with UserLock