Exchange Hybrid Modern Authentication Available for Use with Android and iOS Outlook Clients
Microsoft now enables the use of its Outlook e-mail client applications for Android or iOS devices with some Exchange Server products in so-called "hybrid modern authentication" scenarios, according to an announcement this month.
Modern authentication is Microsoft's term for a bunch of cloud-based Azure Active Directory (AD) authentication processes, plus conditional access security, along with mobile application management. These services can be used with an organization's premises-based Exchange Server or Skype for Business Server infrastructures.
When this hybrid modern authentication scenario gets used (combining cloud services plus local servers), the authentication process using Open Authorization (OAuth) protocols happens in Microsoft's datacenters, not on the customer's premises. It opens new scenarios for organizations.
Modern authentication was turned on back in August for all new Office 365 tenancies that had Exchange Online or Skype for Business Online as part of their subscriptions, according to Microsoft's "Hybrid Modern Authentication Overview" document, although older tenancies didn't get those updated policies. Later, Microsoft announced in December that hybrid modern authentication capabilities for both Exchange Server and Skype for Business Server had reached "general availability" status, meaning that they were deemed ready for use by organizations in production environments.
This month, Microsoft announced that the "architecture" for using Exchange Server, Office 365 and Enterprise Mobility + Security (EMS) suite for Outlook on Android and iOS was ready for use by organizations. The "new architecture is generally available," a Microsoft spokesperson clarified in a Monday e-mail.
Consequently, some new capabilities are possible for users of Android or iOS Outlook clients. Capabilities "such as Focused Inbox, Intelligent Search and enhanced time management" get lit up for hybrid modern authentication users, Microsoft's announcement explained. Note that Microsoft isn't referring to the Outlook on the Web clients, which are getting deprecated.
It might be thought that this hybrid modern authentication capability was already available back in December, but the new aspect seems to be the Outlook integration. It's available now, whereas it was at the test stage back in May. Here's how the spokesperson explained it:
Last May we initiated a TAP program for select customers. Last week, we announced the availability of the new architecture for any customer who chooses to opt-in.
Hybrid modern authentication is only supported for users of "Exchange server 2013 CU19 and up, or Exchange server 2016 CU8 and up," according to Microsoft's document. Users of Exchange Server 2010 are out of luck, as hybrid modern authentication isn't supported when it's present in a computing environment.
Additionally, to use hybrid modern authentication, Azure AD has to be turned on organization wide. Here's how the spokesperson explained that point:
Hybrid modern authentication requires a hybrid relationship with the Microsoft Cloud. Azure Active Directory ultimately manages the authentication for the user identity (via OAuth tokens).
Organizations can't just configure their Exchange Server environments to use hybrid modern authentication with Outlook for Android and iOS clients. "There is a technical step for Microsoft to do," the spokesperson explained. Moreover, organizations need to meet the "technical and licensing requirements."
Organizations wanting the capability should "contact their Microsoft account team, customer sales and services (CSS) or technical account managers to initiate the setup and deployment process," Microsoft's announcement explained.
There's not exactly a free trial, according to the spokesperson:
This new architecture is of interest to Exchange Server customers who want to use Outlook for iOS and Android with enterprise mobility and security features such as conditional access and app protection policies. Outlook for iOS and Android are included in most existing volume licensing plans. Customers should refer to their Microsoft Intune and Azure terms of service. To unlock the power of Outlook with EMS, the customer will still need to create a conditional access policy, create an Intune app protection policy, enable hybrid Modern Authentication and contact Microsoft to take the final technical step. There are no incremental costs to use Hybrid Modern Authentication at this time.
There's no extra cost, but organizations will need to have all of the associated product licensing in place.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.