- Free Edition
- Quick Links
- Multi-factor authentication
- Adaptive MFA
- Active Directory MFA
- Conditional access
- Passwordless authentication
- Endpoint MFA
- MFA for remote and local Windows logons
- MFA for remote and local macOS logons
- MFA for remote and local Linux logons
- MFA for VPN logons
- MFA for OWA logons
- Offline MFA
- MFA for UAC
- Device-based MFA
- MFA for cloud apps
- MFA for Microsoft 365 users
- Phishing-resistant MFA
- Password management
- Password management and security
- Self-service password reset
- Self-service account unlock
- Web-based domain password change
- Password expiration notifications
- Password synchronization
- Password policy enforcer
- Cached credentials update
- Reporting and auditing
- Password self-service from logon screens
- Help-desk-assisted password reset
- Mobile password management
- Password security and compliance
- Single sign-on
- Remote work enablement
- Enterprise self-service
- Reporting and auditing
- Zero trust
- Integrations
- Security
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- Exchange Reporter Plus Exchange Server Auditing & Reporting
- EventLog Analyzer Real-time Log Analysis & Reporting
- M365 Manager Plus Microsoft 365 Management & Reporting Tool
- DataSecurity Plus File server auditing & data discovery
- RecoveryManager Plus Enterprise backup and recovery tool
- SharePoint Manager Plus SharePoint Reporting and Auditing
- AD360 Integrated Identity & Access Management
- Log360 (On-Premise | Cloud) Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools
What is OWA?
Outlook Web Access (OWA) is the browser-based counterpart to the on-premises email and task management application, Microsoft Outlook. With the solution providing enterprise users access to their OWA email, calendars, tasks, and contacts from Microsoft Exchange directly from their web browsers, securing logins to OWA is vital. The existing username and password-based authentication process is not considered secure enough by many IT security experts. Unauthorized access to a user's OWA interface risks the exposure of sensitive business information and confidential email correspondence between users.
Secure OWA logins with ADSelfService Plus
An effective solution is to supplement the logins with further authentication levels through 2FA or MFA. ManageEngine's ADSelfService Plus provides MFA and 2FA for OWA and Exchange admin center (EAC) logins by implementing additional authentication steps in addition to the default username and password. This means that even if a user's credentials are misused, the enforced MFA process prevents the user account from being compromised. Unlike other solutions, ADSelfService Plus does not provide just 2FA, but also includes options to enable a maximum of three additional authentication factors. MFA is achieved through various authentication methods including the phishing-resistant and passwordless FIDO2 authentication, and biometric authentication.
How does MFA for OWA logins work?
To configure MFA for OWA and EAC logins, the ADSelfService Plus' OWA connector must be installed in the Exchange server. The connecter acts as the intermediary between the Exchange server and ADSelfService Plus to enable MFA during OWA and EAC logins. Once these requirements are fulfilled, the process shown below takes place:
- The user attempts to login to OWA or the EAC.
- The user is asked to complete the primary authentication in OWA application.
- If this is successful, the OWA application passes a request to the ADSelfService Plus connector which informs ADSelfService Plus to proceed with the authentication factors.
- If the user completes all the required authentication factors successfully, they are logged in to OWA or the EAC.
MFA for OWA and EAC logins can be configured for the following Exchange versions:
- Exchange Server 2019
- Exchange Server 2016
- Exchange Server 2013
- Exchange Server 2012
For the detailed configuration steps, refer to the MFA for OWA login help document.
Supported authentication methods
ADSelfService Plus supports a wide range of authenticators. Those that can be configured for OWA are listed here.
- Biometric authentication (fingerprint/facial recognition)
- Duo Security
- Microsoft Authenticator
- Google Authenticator
- YubiKey authentication
- Email verification
Why should you choose ADSelfService Plus?
Employing ADSelfService Plus' MFA for OWA logins delivers the following benefits:
- Customizable and granular configuration: Enable specific authentication methods and several authentication factors for users belonging to certain domains, groups, and organizational units.
- Real-time audit reports: View detailed reports on OWA and EAC login attempts with information like time of logon, authentication methods used, and authentication success or failure status.
- Holistic configuration: Use MFA to secure OWA and EAC logins, as well as local and remote logins into Windows, macOS, and Linux machines, and secure VPN logins for comprehensive endpoint security.
- Achieve regulatory compliance: Comply with regulatory mandates such as the NIST and PCI-DSS which recommend enabling MFA for accessing email accounts.
Highlights
Password self-service
Unburden Active Directory users from lengthy help desk calls by empowering them with self-service password reset and account unlock capabilities.
Password/account expiry notification
Notify Active Directory users of their impending password and account expiry via email and SMS notifications.
One identity with single sign-on
Get seamless one-click access to more than 100 cloud applications. With enterprise single sign-on, users can access all their cloud applications using their Active Directory credentials.
Password synchronization
Synchronize Windows Active Directory user passwords and account changes across multiple systems automatically, including Microsoft 365, Google Workspace, IBM iSeries, and more.
Directory self-update and corporate search
Enable Active Directory users to update their latest information by themselves. Quick search features help admins scout for information on peers using search keys like contact numbers.
Password Policy Enforcer
Strong passwords resist various hacking threats. Enforce Active Directory users to adhere to compliant passwords by displaying password complexity requirements.
FAQs
Yes, OWA supports MFA but not natively. You'll need to implement it through a third-party solution like ADSelfService Plus.
Normally, while connecting to OWA, users are authenticated using only a username and password. MFA for Outlook on the web ensures that users verify their identities with multiple authenticators alongside usernames and passwords while logging in to OWA.
By integrating OWA with ADSelfService Plus, you can choose your preferred methods from a range of authenticators like biometric (fingerprint/facial recognition), Face ID, Duo Security, Microsoft Authenticator, Google Authenticator, YubiKey, and email verification.
Yes, it is essential to safeguard all OWA and Exchange admin center (EAC) logins in your organization using MFA. To prevent breaches, it is recommended to use strong identity verification measures like biometrics instead of the traditional username and password method, especially since Outlook gives users access to their email, calendar, tasks, and contacts from any web browser anywhere. On enabling MFA for on-premises Exchange and OWA, you can prevent user accounts from being compromised even if their credentials are threatened by attackers.
You can easily deploy MFA for Outlook on the web and EAC logins in a few simple steps using ADSelfService Plus. ADSelfService Plus allows you to enable more than two authenticators during login, and includes strong authenticators such as FIDO passkeys, biometrics, and YubiKey.
Check out this detailed walkthrough on how you can set up MFA for Outlook on the web in your organization using ADSelfService Plus. You can also schedule a personalized web demo with our product experts, or get in touch with our sales team at +1.312.528.3085 or sales@manageengine.com for any further assistance.