Hidemyass Login

[Christian Swindler]

Werecently enabled HMA in our environment, but disabled because it forced users to sign in via office 365 while in the office. We currently have a mix of office 2010, 2013, 2016. Later on we will be moving everyone to the office 365 suite. We have on premise exchange 2016. AD is also on prem. We recently went to SharePoint online (365). So we also had to implement ADFS and use Azure AD connect so our users were synced up to Azure.

Is this normal behavior? When a user launches outlook via there client computer in the office. Will it always force them to sign into office 365. Which also forces them to login to our ADFS portal to enter their passwords. What other options if any are available? When we setup HMA we had to setup a New-AuthServer. Is it possible to have multiple AuthServers for onprem and those who also work remotely? I would like to avoid having users login again when opening outlook while in the office. I know it is a very simple thing but it is a change for our users across the board. I am also very new to HMA/ADFS so i am curious what others have done.

If this is normal behavior that is fine. I just have to let upper management know this would now be the norm. If you need other screen shots let me know. But this is what i see below. Then outlook will launch.

Hybrid Modern Authentication (HMA) in Microsoft Exchange Server is a feature that allows users to access mailboxes, which are hosted on-premises, by using authorization tokens obtained from the cloud.

HMA enables Outlook to obtain Access and Refresh OAuth tokens from Microsoft Entra ID, either directly for password hash sync or Pass-Through Auth identities, or from their own Secure Token Service (STS) for federated identities. Exchange on-premises accepts these tokens and provide mailbox access. The method of obtaining these tokens and the credentials required are determined by the capabilities of the identity provider (iDP), which could range from simple username and password to more complex methods such as certificates, phone auth, or biometric methods.

In comparison to legacy authentication methods such as NTLM, HMA offers several advantages. It provides a more secure and flexible authentication method, leveraging the power of cloud-based authentication. Unlike NTLM, which relies on a challenge-response mechanism and doesn't support modern authentication protocols, HMA uses OAuth tokens, which are more secure and offer better interoperability.

HMA is a powerful feature that enhances the flexibility and security of accessing on-premises applications, leveraging the power of cloud-based authentication. It represents a significant improvement over legacy authentication methods, offering enhanced security, flexibility, and user convenience.

To enable Hybrid Modern Authentication (HMA), you must ensure that your organization meets all necessary prerequisites. Additionally, you should confirm that your Office client is compatible with Modern Authentication. For more details, refer to the documentation on How modern authentication works for Office 2013 and Office 2016 client apps.

Add on-premises web service URLs to Microsoft Entra ID. The URLs must be added as Service Principal Names (SPNs). In case that your Exchange Server setup is in hybrid with multiple tenants, these on-premises web service URLs must be added as SPNs in the Microsoft Entra ID of all the tenants, which are in hybrid with Exchange Server on-premises.

Ensure that all virtual directories are enabled for HMA. If you want to configure Hybrid Modern Authentication for Outlook on the Web (OWA) and Exchange Control Panel (ECP), it's important to also verify the respective directories.

Ensure that the Exchange Server OAuth certificate is valid. The MonitorExchangeAuthCertificate script script can be utilized to verify the validity of the OAuth certificate. In the event of its expiration, the script assists in the renewal process.

Ensure that all user identities are synchronized with Microsoft Entra ID, especially all accounts, which are used for administration. Otherwise, the login stops working until they're synchronized. Accounts, such as the built-in Administrator, will never be synchronized with Microsoft Entra ID and, therefore, can't be used on any OAuth login once HMA has been enabled. This behavior is due to the isCriticalSystemObject attribute, which is set to True for some accounts including the default administrator.

Your Exchange servers must fulfill the following requirements before Hybrid Modern Authentication can be configured and enabled. In case you have a hybrid configuration, you must run the latest Cumulative Update (CU) to be in a supported state. You can find the supported Exchange Server versions and build in the Exchange Server supportability matrix.

Run the commands that assign your on-premises web service URLs as Microsoft Entra SPNs. SPNs are used by client machines and devices during authentication and authorization. All the URLs that might be used to connect from on-premises to Microsoft Entra ID must be registered in Microsoft Entra ID (including both internal and external namespaces).

Ensure the URLs clients might connect to are listed as HTTPS service principal names in Microsoft Entra ID. In case Exchange on-premises is in hybrid with multiple tenants, these HTTPS SPNs should be added in the Microsoft Entra ID of all the tenants in hybrid with Exchange on-premises.

If you don't see your internal and external MAPI/HTTP, EWS, ActiveSync, OAB, and AutoDiscover records in this list, you must add them. Use the following command to add all URLs that are missing. In our example, the URLs that are added are mail.corp.contoso.com and owa.contoso.com. Make sure that they're replaced by the URLs that are configured in your environment.

Verify that your new records were added by running the Get-MgServicePrincipal command from step 4 again, and validate the output. Compare the list from before to the new list of SPNs. You might also note down the new list for your records. If you're successful, you should see the two new URLs in the list. Going by our example, the list of SPNs now includes the specific URLs and

If OAuth is missing from any server and any of the five virtual directories, you need to add it by using the relevant commands before proceeding (Set-MapiVirtualDirectory, Set-WebServicesVirtualDirectory, Set-OABVirtualDirectory, Set-AutodiscoverVirtualDirectory), and Set-ActiveSyncVirtualDirectory.

Your output should show an AuthServer of the Name EvoSts - and the Enabled state should be True. If that's not the case, you should download and run the most recent version of the Hybrid Configuration Wizard.

In case that Exchange Server on-premises runs a hybrid configuration with multiple tenants, your output shows one AuthServer with the Name EvoSts - for each tenant in hybrid with Exchange Server on-premises and the Enabled state should be True for all of these AuthServer objects. Please make a note of the identifier EvoSts - , as it will be required in the subsequent step.

Run the following commands in the Exchange Server on-premises Management Shell (EMS) and replace the in the command line with the GUID from the output of the last command you ran. In older versions of the Hybrid Configuration Wizard the EvoSts AuthServer was named EvoSTS without a GUID attached. There's no action you need to take, just modify the preceding command line by removing the GUID portion of the command.

If the Exchange Server on-premises version is Exchange Server 2016 (CU18 or higher) or Exchange Server 2019 (CU7 or higher) and hybrid was configured by the help of the HCW downloaded after September 2020, run the following command in the Exchange Server on-premises Management Shell (EMS). For the DomainName parameter, use the tenant domain value, which is usually in the form contoso.onmicrosoft.com:

In case Exchange Server on-premises is in hybrid with multiple tenants, there are multiple AuthServer objects present in the Exchange Server on-premises organizations with domains corresponding to each tenant. The IsDefaultAuthorizationEndpoint flag should be set to True for any one of these AuthServer objects. The flag can't be set to true for all the AuthServer objects and HMA would be enabled even if one of these AuthServer object IsDefaultAuthorizationEndpoint flag is set to true.

When working with multiple tenants they must all be in the same cloud environment such as all in Global or all in GCC. They cannot exist in mix environments such as one tenant in Global and another one in GCC.

Once you enable HMA, a client's next sign in will use the new auth flow. Just turning on HMA won't trigger a reauthentication for any client, and it might take a while for Exchange Server to pick up the new settings. This process does not necessitate the creation of a new profile.

You should also hold down the CTRL key at the same time you right-click the icon for the Outlook client (also in the Windows Notifications tray) and select Connection Status. Look for the client's SMTP address against an AuthN type of Bearer\*, which represents the bearer token used in OAuth.

After the Hybrid Modern Authentication was enabled for OWA and ECP, each end user and administrator who tries to log in into OWA or ECP will be redirected to the Microsoft Entra ID authentication page first. After the authentication was successful, the user will be redirected to OWA or ECP.

To enable Hybrid Modern Authentication for OWA and ECP, all user identities must be synchronized with Microsoft Entra ID.In addition to this it's important that OAuth setup between Exchange Server on-premises and Exchange Online has been established before further configuration steps can be done.

Customers who have already run the Hybrid Configuration Wizard (HCW) to configure hybrid, have an OAuth configuration in place. If OAuth wasn't configured before, it can be done by running the HCW or by following the steps as outlined in the Configure OAuth authentication between Exchange and Exchange Online organizations documentation.

3a8082e126