Is it possible to use Okta Verify with O365/Exchange On-Line and Active Sync devices? Skip to main content
https://support.okta.com/help/answers?id=906f0000000blm3iai&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
ThomasThomas (Okta, Inc.)  

Is it possible to use Okta Verify with O365/Exchange On-Line and Active Sync devices?

I have been experimenting with Okta Verify for multi-factor authentication with Office 365 (when users are off the Company network) and it works really well when using a web browser to authenticate to services such as Outlook Web Access or SharePoint On-Line.  Obviously this doesn't  work for full clients such as Outlook or iPhones synchronising e-mail via Exchange Active Sync (EAS) as they are unable to provide the Verify code.

For Outlook I expect that I can route the OKTA authentication requests via a registered On Network Public Gateway IP Address from our network (using a VPN and internal web proxy) I didn't have any issues with Outlook when it was On Network so believe this will work quite nicely.  From reading some OKTA documentation it appears that in EAS, the Exchange Server will proxy the authentication request to Okta so even using a VPN will not work.  I though that one possible solution would be to add the Exchange On-Line Servers as On-Network (set Public Gateway IPs) but this would require managing a large number of IP addresses, which are likely to change frequently without prior notice - so not something I really would be keen on putting into a production environment.

I am very interested to see if anyone else has done this successfully before or has any better solutions/ideas on a way to solve this?

Original Author:  David Howell
Best Answer chosen by Thomas (Okta, Inc.) 
ThomasThomas (Okta, Inc.) 

I have OWA working perfectly with Okta MFA as does all other web based access to our Office 365 services (like SharePoint / OneDrive / Admin Portal).  The issue I have only affects non-browser clients such as the Mail Client in iOS or Windows Desktop Applications like Outlook which are not capable of showing the MFA request / challenge page.  I can route Outlook through our VPN so it appears to come from an OnNetwork address (which I have configured not to require MFA) but with Exchange Active Sync the logon request is proxied via the Exchange On-Line server and so I can't use this technique.
Original Author: David Howell
 

 

All Answers

ThomasThomas (Okta, Inc.) 

I have OWA working perfectly with Okta MFA as does all other web based access to our Office 365 services (like SharePoint / OneDrive / Admin Portal).  The issue I have only affects non-browser clients such as the Mail Client in iOS or Windows Desktop Applications like Outlook which are not capable of showing the MFA request / challenge page.  I can route Outlook through our VPN so it appears to come from an OnNetwork address (which I have configured not to require MFA) but with Exchange Active Sync the logon request is proxied via the Exchange On-Line server and so I can't use this technique.
Original Author: David Howell
 

 

This was selected as the best answer
Bhaskar MangapatiBhaskar Mangapati
Hi Thomas,

I look forward to see  the Integration steps for  OWA  with Okta for  MFA.

Best regards,
Bhaskar