- Free Edition
- Quick Links
- MFA
- Self-Service Password Management
- Single Sign-On
- Password Synchronizer
- Password Policy Enforcer
- Employee Self-Service
- Reporting and auditing
- Integrations
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- Exchange Reporter Plus Exchange Server Auditing & Reporting
- EventLog Analyzer Real-time Log Analysis & Reporting
- M365 Manager Plus Microsoft 365 Management & Reporting Tool
- DataSecurity Plus File server auditing & data discovery
- RecoveryManager Plus Enterprise backup and recovery tool
- SharePoint Manager Plus SharePoint Reporting and Auditing
- AD360 Integrated Identity & Access Management
- Log360 (On-Premise | Cloud) Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools
What is OWA and why does it need MFA?
Outlook Web Access (OWA) gives enterprise users mailbox access from any web browser without a locally installed Outlook client — and exposes Exchange through a public-facing IIS virtual directory that attackers probe consistently. The FBI's IC3 2025 report recorded a 48.2 percent rise in business email compromise incidents between 2023 and 2025. Enforcing multi-factor authentication (MFA) at the OWA login is, in that context, no longer an optional hardening step.
The default mechanism relies solely on Active Directory credentials, a single layer that most security frameworks and auditors no longer consider adequate. Attackers run password spraying, brute force, and credential stuffing campaigns against OWA, or deploy phishing proxies that clone the login page to harvest credentials silently. Once a valid password is captured, full mailbox access follows — along with the ability to set silent forwarding rules and use the compromised inbox as a pivot point into the broader environment. MFA closes this window, since a stolen password alone delivers nothing when a verified second factor is required.
Legacy authentication presents an equally serious exposure. Protocols like POP3, IMAP, and SMTP AUTH communicate directly with Exchange using basic credentials and never invoke the MFA layer, allowing an attacker with a stolen password to bypass browser-level protections entirely by switching protocols. Blocking legacy authentication and enforcing OAuth 2.0 across all client endpoints is therefore a necessary companion measure, not an afterthought.
For hybrid deployments running Microsoft Entra ID, Security Defaults and Conditional Access Policies operate at the cloud identity layer and do not extend to on-premises Exchange Server. Protecting an on-premises deployment requires MFA enforcement applied directly at the IIS level — which is precisely what ADSelfService Plus delivers.
Secure enterprise email access with ADSelfService Plus' OWA multi-factor authentication
ManageEngine ADSelfService Plus enables OWA MFA and Exchange MFA by inserting additional authentication steps after the default AD username and password validation, during both OWA and Exchange Admin Center (EAC) logins. The MFA challenge is enforced at the IIS layer through the ADSelfService Plus IIS MFA extension installed on the Exchange Client Access server. Session creation is halted until the user clears the configured factors. Even a fully valid AD credential produces no mailbox access on its own.
Unlike solutions limited to basic 2FA, ADSelfService Plus supports up to three additional authentication factors drawn from all three factor categories:
- Knowledge: Security questions
- Possession: TOTP via authenticator apps, push notifications, SMS, email OTP, YubiKey, and hardware TOTP tokens
- Inherence: Fingerprint, Face ID, and FIDO2 passkeys that bind a private key to the device biometric
Multi-factor authentication only qualifies when the second proof comes from a different category than the first. Pairing the AD password (knowledge) with a TOTP code (possession) or a FIDO2 passkey (inherence) satisfies this requirement.
Users can register, replace, and revoke their own MFA tokens through the ADSelfService Plus end-user portal's self-service enrollment management that eliminates help desk dependency for lost devices, new phones, or replacement hardware tokens. Bulk CSV enrollment and forced first-login enrollment ensure organization-wide rollout without administrators chasing individual users.
How does OWA two-factor authentication work?
The authentication flow works as follows:
- The user navigates to the OWA or EAC login page.
- The user completes primary AD authentication — username and password — in the OWA application.
- If primary authentication succeeds, the IIS MFA extension signals ADSelfService Plus to initiate the configured second-factor challenge.
- The user completes the required MFA factors — for example, approving a push notification or entering a TOTP code.
- ADSelfService Plus confirms successful verification to the IIS extension.
IIS creates the Exchange session and the user is logged in to OWA or the EAC.
If any factor fails or times out, session creation is denied. The mailbox is never exposed.
MFA for OWA and EAC logins is supported on the following Exchange Server versions:
| Exchange version | Support status | OWA MFA support |
|---|---|---|
| Exchange Server 2019 | Mainstream support | Supported, including EAC |
| Exchange Server 2016 | Extended support | Supported, including EAC |
| Exchange Server 2013 | End of support (April 2023) | Supported — migration to 2019 strongly recommended |
| Exchange Server 2012 | End of support (October 2023) | Not supported — immediate migration required |
For detailed configuration steps, refer to the MFA for OWA login help document.
Blocking legacy authentication to prevent MFA bypass
Enabling MFA on the OWA browser endpoint addresses only one attack surface. Legacy authentication protocols such as POP3, IMAP, SMTP AUTH, and older Exchange Web Services (EWS) endpoints accept a username and password directly and never invoke the MFA layer. An attacker with a stolen credential simply connects via one of these protocols and bypasses OWA MFA entirely.
Closing this gap requires action at two levels. First, disable POP3, IMAP, and SMTP AUTH at the Exchange mailbox or organization level. Second, use ADSelfService Plus to deny any authentication request that does not present a valid authentication token, effectively blocking legacy protocol connections by default, since they cannot complete an MFA challenge.
Supported authentication methods
ADSelfService Plus supports 21 authenticators across all three factor categories. Those available for OWA MFA include:
Possession factors
- TOTP authentication via Google Authenticator, Microsoft Authenticator, Zoho OneAuth, and the ADSelfService Plus authenticator app
- Push notification approval
- Email OTP verification
- SMS OTP verification
- FIDO2 passkeys and Yubico
- Hardware TOTP tokens
- Duo Security
- RSA SecurID
- RADIUS-based authenticators
- Smart card authentication
Inherence factors
- Fingerprint biometric authentication
- Face ID biometric authentication
- FIDO2 passkey authentication (phishing-resistant, passwordless)
Knowledge factors
- Security questions
For a full list of supported authenticators, see the ADSelfService Plus authenticator list.
Conditional access policies for OWA MFA
MFA enforcement alone challenges every login equally, including sessions from known corporate IPs where the risk profile is low. This creates unnecessary friction and drives shadow workarounds. Conditional access policies solve this by evaluating context on each OWA login and selecting an appropriate response.
ADSelfService Plus evaluates the following attributes per session: source IP address, device type, browser, geolocation, time of access, and whether the request falls within configured business hours. Based on the policy outcome, the session is allowed with a single factor, challenged with the standard MFA factors, stepped up to a stronger factor, or denied outright.
For hybrid deployments, it is important to understand the boundary between Microsoft Entra ID conditional access and ADSelfService Plus conditional access. Microsoft Entra ID conditional access governs cloud identities and applies to Exchange Online and other Microsoft 365 services. It does not reach on-premises Exchange Server. ADSelfService Plus conditional access fills that gap, applying the same context-aware policy logic to on-premises Exchange 2013, 2016, and 2019 deployments, the layer Entra-side policies cannot reach.
Why choose ADSelfService Plus for OWA multi-factor authentication?
- Conditional access: Automatically tighten or relax MFA for OWA based on IP address, geolocation, device type, time of access, and business hours — the context-aware layer that Entra ID conditional access cannot provide for on-premises Exchange.
- 20+ authenticators across all factor categories: TOTP, push notifications, FIDO2 passkeys, biometrics, YubiKey, hardware tokens, Duo Security, RSA SecurID, smart cards, and more — covering possession, inherence, and knowledge factors without requiring a separate identity stack.
- Self-service token management: Users register, replace, and revoke their own MFA tokens through the end-user portal. Lost phone, new authenticator app, replacement YubiKey — none of it routes through the help desk.
- Holistic endpoint MFA: The same policy engine enforces MFA at Windows, macOS, and Linux logins, RDP sessions, UAC prompts, VPN connections via RADIUS, and SSO into 100+ cloud applications — one console for the entire identity perimeter, not just the mailbox.
- Real-time audit reports: 14+ built-in reports covering MFA enrollment status, authentication attempts, success and failure rates, and suspected bypass attempts. Schedule and export for NIST, PCI-DSS, HIPAA, GDPR, NIS2, SOX, CJIS, and Essential Eight audits.
- Regulatory compliance: Meet MFA mandates from NIST, PCI-DSS, HIPAA, and other frameworks that treat MFA on email access surfaces as a baseline requirement.
FAQs
Yes, OWA supports MFA but not natively. You'll need to implement it through a third-party solution like ADSelfService Plus.
Normally, while connecting to OWA, users are authenticated using only a username and password. MFA for Outlook on the web ensures that users verify their identities with multiple authenticators alongside usernames and passwords while logging in to OWA.
By integrating OWA with ADSelfService Plus, you can choose your preferred methods from a range of authenticators like biometric (fingerprint/facial recognition), Face ID, Duo Security, Microsoft Authenticator, Google Authenticator, YubiKey, and email verification.
Yes, it is essential to safeguard all OWA and Exchange admin center (EAC) logins in your organization using MFA. To prevent breaches, it is recommended to use strong identity verification measures like biometrics instead of the traditional username and password method, especially since Outlook gives users access to their email, calendar, tasks, and contacts from any web browser anywhere. On enabling MFA for on-premises Exchange and OWA, you can prevent user accounts from being compromised even if their credentials are threatened by attackers.
You can easily deploy MFA for Outlook on the web and EAC logins in a few simple steps using ADSelfService Plus. ADSelfService Plus allows you to enable more than two authenticators during login, and includes strong authenticators such as FIDO passkeys, biometrics, and YubiKey.
Check out this detailed walkthrough on how you can set up MFA for Outlook on the web in your organization using ADSelfService Plus. You can also schedule a personalized web demo with our product experts, or get in touch with our sales team at +1.312.528.3085 or sales@manageengine.com for any further assistance.
Highlights of ADSelfService Plus
Password self-service
Unburden Windows AD users from lengthy help desk calls by empowering them with self-service password reset and account unlock capabilities.
Multi-factor authentication
Enable context-based MFA with 20 different authentication factors for endpoint, application, VPN, OWA, and RDP logins.
One identity with single sign-on
Get seamless one-click access to more than 100 cloud applications. With enterprise single sign-on (SSO), users can access all their cloud applications using their Windows AD credentials.
Password and account expiry notifications
Notify Windows AD users of their impending password and account expiry via email and SMS notifications.
Password synchronization
Synchronize Windows AD user passwords and account changes across multiple systems automatically, including Microsoft 365, Google Workspace, IBM iSeries, and more.
Password policy enforcer
Strong passwords resist various hacking threats. Enforce Windows AD users to adhere to compliant passwords by displaying password complexity requirements.
