---
title: "UserLock MFA for OWA"
description: "UserLock makes Outlook on the Web (OWA) MFA implementation fast and manageable for on-premises and hybrid Active Directory."
locale: "en"
updated_at: "2026-03-30T09:49:12.152Z"
canonical: "https://www.isdecisions.com/en/blog/mfa/how-userlock-solves-the-outlook-on-the-web-owa-mfa-puzzle"
---

# Solve the Outlook on the Web (OWA) MFA puzzle 

_UserLock simplifies Outlook on the Web (formerly OWA) MFA for Active Directory environments._

**Protecting an email server is one of the hardest jobs in IT security. Admins must defend the email server without full control over the devices connecting to it. And, even as Microsoft pushes Exchange Online, many organizations still run Exchange servers on-premise. If yours is one of them, here's how to enable ****[multi-factor authentication (MFA)](/userlock/features/multi-factor-authentication-mfa-active-directory)**** on remote email access without turning security into its own problem.**

## The challenge of secure remote email access

For years, receiving business email meant running a dedicated client like Outlook. Today, with teams remote or hybrid, users access the same messaging and calendaring functions through a web browser, often without noticing the difference.

Users win because they can access their email from any device without installing a special application. Organizations win too because they can centralize email access security and data management. But that convenience comes with real risk.

## How Outlook on the Web (OWA) solves the remote access security problem

In Windows environments, web-based access to Exchange email runs through  [Outlook on the Web](https://www.techtarget.com/searchwindowsserver/definition/Microsoft-Outlook-on-the-web-formerly-Outlook-Web-App-OWA) (formerly Outlook Web Access, or OWA), available on Microsoft 365, Exchange Server 2016, and Exchange Server 2019.

OWA connects to either [Exchange Online](https://learn.microsoft.com/en-us/exchange/exchange-online) (Microsoft's cloud-based email) or to an on-premise Exchange server via IIS, with authentication handled by the Exchange Client Access Service (CAS). 

In the [Microsoft 365](/blog/sso/managing-access-microsoft365-cloud-applications) scenario, admins simply enable it as part of their subscription. However, with an on-premise Exchange server, organizations must configure the backend infrastructure and security for themselves.

Note: If you're managing email servers running Exchange Server 2013 or 2010, you're using the Outlook Web App. [Learn how to secure remote access to an Exchange 2013 mailbox.](/blog/access-management/secure-remote-access-to-an-exchange-2013-mailbox)

## The need to secure on-premise Exchange

Many organizations choose to keep Exchange on-premise to:

- **Avoid subscription costs **associated with Exchange Online
- **Keep email data on-site** for compliance requirements
- **Maintain compatibility **with legacy applications

The trade-off is clear: on-premise OWA offers real convenience, but significantly raises access security risk.

**Read more about **[securing access to an on-premises Microsoft Exchange server](/blog/access-management/securing-access-on-premises-exchange-server).

### Why attacks target OWA

For years, threat actors have targeted online and on-premise OWA, and attacks keep getting more sophisticated.

In 2023, [Microsoft revealed that a group called Storm-0558 had gained unauthorized access](https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/) to the email systems of at least 25 organizations by forging authentication tokens used by online OWA and Outlook.com.

Before that, the 2021 “ProxyLogon” attack saw ten cybercrime groups [target Exchange Servers with four zero-day exploits](https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers/) across an estimated 250,000 on-premise Exchange servers worldwide, hitting many SMBs.

Preventing unauthorized access to [on-premise Exchange](/blog/access-management/securing-access-on-premises-exchange-server) is non-negotiable. The problem is that implementing strong access controls like MFA can quickly become complex.

### OWA compromise: the nightmare scenario

With on-premise servers, OWA is a public-facing connection. All that an attacker needs is a server address and one set of valid credentials, both of which are easy to get through research, phishing, or brute force.

Once inside, attackers can: 

- **Run internal phishing attacks** against other employees
- **Search for other credentials**, such as those used to access the corporate VPN
- **Exploit ****[Microsoft Exchange Server](/blog/access-management/securing-access-on-premises-exchange-server)**** vulnerabilities **to obtain a remote shell (the ability to execute commands remotely)
- **Use OWA as a bridgehead** **to compromise domain controllers** and other internal infrastructure

### What makes on-premise OWA so risky?

Exchange is aging, complex software, which raises the likelihood of serious vulnerabilities. Patching them isn't always straightforward, and some organizations continue running older, more vulnerable versions. The underlying problem is consistent: the infrastructure that on-premise email access depends on is aging and increasingly difficult to defend.

## Implementing MFA for OWA

[Multi-factor authentication (MFA)](/userlock/features/multi-factor-authentication-mfa-active-directory) is the logical solution to protect OWA access. Adding a second authentication factor before granting access dramatically lowers the risk of credential compromise.

The problem is that implementing MFA for OWA is complicated. There's no single, clean native Microsoft option. Typically, Microsoft pushes organizations toward Active Directory Federation Services (AD FS) or to Entra ID’s Application Proxy, both of which have drawbacks depending on your infrastructure and licensing situation.

## How UserLock keeps on-premise OWA MFA simple

Native Microsoft solutions add complexity to the network. This makes managing OWA access harder for admins, not easier. UserLock is designed to remove that friction. 

### Implementing UserLock MFA for OWA

UserLock [MFA implementation](/userlock/docs/guides/mfa-implementation/) is quick and easy: 

1. Install the UserLock server
2. Deploy the MFA agent for OWA on your existing IIS server. No additional infrastructure required.
3. Configure granular MFA rules across existing AD users, groups, and organizational units (OUs).

When a user authenticates to OWA, they enter their Windows credentials as normal. UserLock's OWA agent then issues an MFA prompt. 

IT can enable in up to two [MFA methods](/userlock/features/mfa-methods) per user, including:

- Push notifications
- Authenticator apps
- MFA security keys or hardware tokens (YubiKey, Token2, etc.)

UserLock extends MFA and access controls across multiple session types:

- [Windows logins](/userlock/features/mfa-for-windows-login)
- [MFA for VPN](/userlock/features/secure-mfa-for-vpn)
- [IIS](/userlock/features/mfa-for-iis-apps)
- [SaaS](/userlock/features/mfa-for-saas)
- Remote Desktop ([RDP & RD Gateway](/userlock/features/mfa-for-rdp-rd-gateway))
- VDI sessions
- Windows UAC prompts

Admins also get full control over MFA frequency with granular, session-based rules.

![Granular control MFA](https://a.storyblok.com/f/122374/738x344/39440fad5d/granular-control-mfa.png)

**Read more about ****[how to secure remote access to an Exchange mailbox with UserLock](/blog/access-management/secure-remote-access-to-an-exchange-2013-mailbox)**

## MFA: Essential to secure OWA

Any organization giving users email access via OWA should implement MFA by default. The risk of not doing so is too great.

Attackers know how easy passwords are to phish and brute force, and they actively target environments where MFA isn't in use. 

Compromising just one set of credentials is enough to gain a foothold, which makes any MFA-free access point a fundamental vulnerability.

MFA is proven to [reduce the risk of credential compromise](/blog/mfa/multifactor-authentication-compromised-credentials). The reason it isn't universally applied comes down to complexity: for on-premise email servers, enabling MFA for OWA often requires additional software, expertise, and infrastructure. That's enough to put off admins looking for a straightforward OWA access security solution.

UserLock cuts through that complexity. Built for on-premise and hybrid Active Directory environments, it makes OWA MFA implementation fast and manageable. Plus, it extends that same protection across multiple connection types. Organizations get [secure remote access](/userlock/solutions/secure-remote-access) to on-premise Exchange without convoluted workarounds, expensive upgrades, or replacing existing infrastructure.
