Hybrid Modern Authentication

Microsoft have recently announced new architecture for Exchange Server and Office 365 hybrid solutions, Hybrid Modern Authentication.

This provides customers the capability to utilise Enterprise Mobility & Security features with Outlook for iOS and Android connecting to mailboxes hosted in Microsoft Exchange on-premises. This allows for mobile devices to be managed with Microsoft Intune and benefit from Azure Conditional Access. All without mailboxes being hosted in Exchange Online.


For Hybrid Modern Authentication, the following licenses are required for each user as a minimum:

  • Office 365 E3
  • Intune standalone
  • Azure AD Premium standalone

Note: If this solution was to be deployed, I would recommend EM&S licenses instead of the standalone options.

Technical Requirements

The following technical requirements are required to implement Hybrid Modern Authentication:

  • Exchange Server 2013 CU19 or Exchange Server 2016 CU8 (note that Exchange 2007 and 2010 are not supported)
  • AAD Connect synchronizing Active Directory
  • Exchange Hybrid implemented
  • Office 365 Enterprise, Education or Business tenant
  • External URL hostnames for Autodiscover and ActiveSync¬†must be published as service principals to Azure Active Directory through the Hybrid Configuration Wizard
  • External URL hostnames for Autodiscover and ActiveSync must be accessible from the Internet
  • SSL or TLS offloading is not supported

The fact Exchange 2010 and 2007 are not supported in this scenario may limit the potential of this solution. It’s important to note that Exchange 2007/2010 servers MUST be removed from the environment. They will not work with Outlook for iOS and Android due to OAuth being used as the authentication mechanism.

Final Thoughts

There is on benefit I can see from this new feature. Customers who are looking to move to Office 365 have more options available on what service to consume first. Generally Exchange Online would be the first service to be consumed, with Intune following closely or at the same time. When migrating both services at the same time it can be a tricky project to manage. Users would have more change that some businesses would like. A new option could be to move the MDM solution to Microsoft Intune using Hybrid Modern Authentication. this will allow Intune managed devices to connect to mailboxes that are still hosted on-premises. This could be beneficial if perhaps, no MDM solution exists or Exchange on-premises is stable with no need to move quickly and your current MDM contract is up soon.

Further Reading

Microsoft have provided a TechNet article that details how Hybrid Modern Authentication works and the implementation steps, so no need for me to go in to that here but you can read more in the following link.