LoginTC OWA Connector ActiveSync and Outlook App Access

The LoginTC OWA Connector adds a two-factor authentication prompt to Outlook on the web (formerly Outlook Web App). The LoginTC OWA Connector does not have any impact on ActiveSync, Outlook App authentication or other Exchange mail protocols such as POP3 and IMAP. In most cases, these other protocols should be either disabled or protected in another way to ensure that all access to your Exchange is protected with two-factor authentication.

Protecting ActiveSync and Outlook App Access

The LoginTC OWA Connector does not add two-factor authentication to ActiveSync or Outlook App Access. Users will be able to continue to access their email using native ActiveSync email clients (such as Mail on iOS) or using the Outlook App.

Options for protecting ActiveSync and Outlook App Access:

• Configure Exchange to use Modern Authentication with AD FS and the LoginTC AD FS Connector (Only available for Office 365 or Office 365 Hybrid deployments)
• Restrict ActiveSync to VPN-connected devices
• Disable ActiveSync

Office 365 and Office 365 Hybrid Deployment Modern Authentication with the LoginTC AD FS Connector

In addition to protecting your Outlook on the web (formerly Outlook Web App) access with the LoginTC OWA Connector, you can protect native ActiveSync email client and Outlook App access using the LoginTC AD FS Connector.

1. Configure your Office 365 Hybrid Deployment to use Modern Authentication with AD FS
2. Install the LoginTC AD FS Connector on your AD FS server
3. Connect to your mailbox using native ActiveSync email clients (such as Mail on iOS) or using the Outlook App
4. Enter the user username and password at the prompt (web-based window or popup)
5. Complete the LoginTC authentication at the secondary screen in the prompt (web-based window or popup)
6. Occasionally re-authenticate with both first and second factor (depending on Exchange policies)

Resources:

• Hybrid modern authentication overview and prerequisites for using it with on-premises Skype for Business and Exchange servers
• How to configure Exchange Server on-premises to use Hybrid Modern Authentication
• Two-factor authentication for AD FS on Windows Server 2016 and 2019

VPN-restricted ActiveSync with the LoginTC RADIUS Connector

Access to ActiveSync can be restricted to internal or VPN traffic while leaving OWA exposed to the internet. Your VPN can then be protected with two-factor authentication using a LoginTC connector for your VPN. See LoginTC 2FA for Remote Access and VPN for more information.

Resources:

• Restricting access to Exchange ActiveSync
• LoginTC Connectors for VPNs

Disable ActiveSync

ActiveSync can be disabled for your users, forcing them to use the web-based Outlook on the web (formerly Outlook Web App).

Resources:

• Enable or disable Exchange ActiveSync for a mailbox in Exchange Online

Protecting POP3, IMAP Access

POP3 and IMAP can be protected in the same ways as ActiveSync and Outlook App Access with the exception of Modern Authentication.