MFA for OWA Login

    Note: MFA for OWA logins requires the Professional edition of ADSelfService Plus with the Endpoint MFA.

    With this setting, you can enable MFA for Outlook on the Web (OWA) and Exchange admin center logins to add an additional layer of security to your Exchange environment.

    How it works

    MFA for OWA
    • The user attempts to log in to OWA or the Exchange admin center.
    • The user completes primary authentication (password) in OWA.
    • If primary authentication succeeds, OWA passes a request to the ADSelfService Plus MFA Connector, which instructs ADSelfService Plus to proceed with the configured MFA factors.
    • If the user completes all required MFA factors successfully, they are granted access to OWA or the Exchange admin center.

    Note: MFA for OWA logins is supported for the following Exchange versions:

    • Exchange Server 2013
    • Exchange Server 2016
    • Exchange Server 2019

    Enabling MFA for OWA

    Before you start:

    • Ensure that the product is using only HTTPS protocol.
    • The ADSelfService Plus SSL certificate should be installed in Exchange Server.

    Step 1: Configuring MFA for OWA

    1. Go to Configuration > Self-Service > Multi-factor Authentication > MFA for OWA Login.
    2. Click the Choose the Policy drop-down and select a policy. This will determine which authentication methods are enabled for which sets of users.
    3. In the MFA for OWA Login section, check the Enable __ authentication factor box, select the number of authentication methods, and specify which ones you'd like to use from the drop-down.

    Note:

    • The OWA site must utilize HTTPS for FIDO Passkeys to work.
    • Authentication using SAML is not supported by MFA in OWA.
    1. Click Save Settings.

    Step 2: Installing the ADSelfService Plus MFA Connector

    The IIS MFA extension must be installed in Exchanger Server to enable MFA for OWA and Exchange admin center logins. The extension triggers the request for the completion of other authentication factors after the primary password authentication is successful.

    1. Go to Configuration > Self-Service > Multi-factor Authentication > MFA for Endpoint.
    2. Navigate to MFA for OWA and click the help icon.
    3. Download the ADSelfService Plus MFA Connector from the pop-up that appears.
    4. Copy the downloaded connector file (AdsspOWAIISModule.zip) to the Windows server that you have configured as the Exchange server. Extract the ZIP file’s content and save it in a location.
    5. Open PowerShell (x64) as an administrator and navigate to the folder where the content of the extension files is located.
    6. Execute the following command: PS C:\> .\setupIISMFAModule.ps1 Install

    Customizing the virtual directory for ADSelfService Plus Connector

    By default, the ADSelfService Plus IIS MFA Connector files are created in a virtual directory under the default web site in IIS Manager. If you want to modify your default web site to redirect to any particular site (for example: If your default web site is selfservice.com and you have configured a redirect URL to selfservice.com/owa) you can change the virtual directory to owa using the command belowC:\>setupIISMFAModule.ps1 install -virtualDirectory "owa"

    Uninstalling and updating the ADSelfService Plus MFA Connector

    1. Open PowerShell (x64) as an administrator and navigate to the folder where the content of the extension files content is located (by default, it is stored in C:\Program Files\ManageEngine\ADSelfService Plus MFA Connector).
    2. To uninstall the extension, execute the following command:PS C:\> .\setupIISMFAModule.ps1 Uninstall
    3. To update the extension, execute the following command:PS C:\> .\setupIISMFAModule.ps1 Update
    MFA for OWA

    Note: If ADSelfService Plus is down or unreachable, users will not be able to access their email, as they won't be unable to complete authentication. You can allow users to bypass MFA in such situations. Refer to the Advanced settings for more information.

    Tips

    • Install the ADSelfService Plus SSL certificate on the Exchange server before installing the MFA Connector — this is a prerequisite that is easy to overlook, and skipping it will cause the Connector to fail when attempting to communicate with the ADSelfService Plus server over HTTPS.
    • Configure the skip MFA option in [LINK: "Advanced settings"] before enforcing OWA MFA in production. Unlike machine login MFA (where a user can still call the help desk), an unreachable ADSelfService Plus server will completely block email access — having a bypass policy in place ensures business continuity during server maintenance or outages.
    • If your OWA site uses a custom virtual directory or redirects to a non-default path, use the -virtualDirectory parameter during installation rather than the default install command. Installing to the wrong virtual directory is a common cause of the MFA step not triggering after primary authentication.