Registered: 1451679330 Posts: 198
Reply with quote #1
I'm working on securing Exchange. For activesync we'll do CBA. For Outlook we'll do WAF to lock down what networks can connect (offsite access will be allowed through DirectAccess) to try to limit outlook access to domain machines. OWA is the tricky one. We currently sync with OKTA, and also use AADconnect to sync with office 365 for hybrid. We don't put mailboxes in the cloud, only archives and we use it for inbound SMTP. We have WS-FED configured with OKTA so o365 automatically redirects users to OKTA to auth. We use OKTA MFA to protect cloud apps and are implementing a partner connector for OKTA MFA to protect RDP. That just leaves onprem OWA. I was going to set up Azure App Proxy (tested and it works) but we'd have to license users for AAD for that. I'm also considering using the Kemp Azure load balancer as I think it can talk directly to Azure ADDS - not sure if that would allow us to leverage OKTA mfa since office365 already recognizes OKTA as our federated auth provider...