The following topics will be covered in this article:

Exchange two-factor authentication (HEX 2FA) adds an additional layer of security for your users when using Outlook on the desktop and ActiveSync mobile apps. If the username and password are correct, and the mailbox has been enabled for HEX 2FA, the solution will check to see if the application making the connection is authorized to access this mailbox. If authorized, the connection attempt will succeed as normal — if not, you will be notified and asked to first authorize the application.

This solution will work with the following clients:

 

Important:

  • Outlook Backup service isn't compatible with mailboxes using Exchange two-factor authentication.
  • Only Microsoft Outlook 2016 or higher desktop clients for Windows and Mac are supported. Other non-Outlook email clients (Mac mail, Windows mail, etc.) are not supported with Exchange 2FA.
  • Enabling Exchange 2FA will block access from unsupported clients or third-party apps that connect via EWS protocol such as SmartOffice, Calendly, Salesforce etc.
  • POP3, IMAP, SMTP and RPC/HTTP protocols are not supported with Exchange 2FA and will be automatically disabled for users with this feature enabled.

Notes:

  • If the Exchange 2FA section is not found in CONTROL PANEL under Account > Security policies > Two-factor authentication (2FA) contact Support to find out when this feature will become available for your domain.
  • The end-user needs to contact the Account Administrator to enable this feature.
  • In order to utilize Exchange 2FA, a user must have an active Exchange mailbox, and Primary 2FA must already be enabled for the user.
  • Outlook Web Access (OWA) is already covered with 2FA and as such is not required for this solution.
  • It's possible to fully reset 2FA settings for the user if access to the phone was lost. Read the Knowledge article on how to reset 2FA settings from Control Panel: Managing Two-factor Authentication For End Users

Using Exchange 2FA

When first enabled by your Account Administrator, the next time one of your mail applications authenticates to the mail server with the correct username and password, it will be blocked from doing so. This will mean that the applications can no longer receive any new mail, and you will not be able to send any messages — existing messages that have been downloaded should still be accessible.

In Outlook you can expect to see the following password prompt:

OL prompt

You might also see one of the following messages in the Outlook status bar located in the lower right-hand corner:

OL bottom bar

Note:

  • You might not experience this until you next restart Outlook.
  • ActiveSync/mobile applications may take a few hours before they are disconnected.

Receiving a New Device Notification

Note: If you have a phone number for Primary 2FA on your user already configured, you may skip this part and proceed to the next step.

When the solution blocks an application, it will attempt to notify you of this. It will first attempt to send an SMS message to the phone number registered in the Exchange address book. This number is located in My Services under Edit profile > Mobile

or in the CONTROL PANEL under Users > User's name > Edit user info > Information to restore user password > Mobile phone.

If SMS sending is successful, you will receive a notification with the following text:

SMS

If you don’t have a mobile number registered, or the system fails to send the SMS, you will instead receive an email with the following content:

notification email

Note: You can register your mobile number in the company address book using My Services page or contact your Account Administrator to update this information.

Accessing the Exchange Device Management Portal

Granting an application access to your mailbox is done using the Exchange Device Management Portal. The location of this portal is included in the above notifications, or you can navigate to it directly using the next link: https://2fa.smarshmail.com

To log in, you will see the familiar authentication pages used for Smarsh Hosted Services services:

login page

You can proceed to authenticate using the same credentials and 2FA method that you would use for any other Smarsh Hosted Services service.

Note: When logging in this way, please provide your credentials when prompted. Idle sessions will be automatically closed to provide a secure login experience. If your session is left idle for too long, you will see the error message.

Registering an application using the Exchange Device Management Portal

When you first access the portal you should see a page of tiles— each tile will represent an application that is attempting to connect to your mailbox:

EDM portal

You should notice that the Token Assignment Status of these are first set to Inactive. This tells you that the application is using a valid username and password, but it is currently being blocked because it is not yet authorized.

To grant access to this application, click on the Activate button:

Token Inactive

You will then be asked to confirm this action:

Activation

After which you will see that the Token Assignment Status has changed to Active:

Token Active

The application will now be able to connect to your mailbox and send/receive mail.

Notes:

  • Depending on the application, you may need to restart and enter the password again before it reconnects to the mailbox.
  • For a faster setup time and to expedite the arrival of the Outlook Token, we recommend for the user to close Outlook first then enable Exchange 2FA then wait 60 more seconds before opening Outlook again. This greatly increases the speed at which the Outlook password prompt comes up and the Token appears in the Exchange Device Management Portal which then can be activated. After activation, have the user close Outlook and re-open it to reconnect the mailbox to Exchange.
  • To expedite this process on a mobile device — activate Exchange 2FA first, then power off the mobile device, then power it back on — this will force the arrival of the Mobile device Token in the Exchange Device Management Portal.
  • There is a known issue where users receive an Outlook password prompt in Office Apps other than Outlook (like Word or Excel) when Exchange 2fa is enabled for them and they have Outlook set up in Online mode. The suggested workarounds are to change Outlook to Cached mode or to close the pop-up windows every time (they will not reappear until the next time the application is opened).

Is this answer helpful?

Haven't found what you're looking for? Search the Support Center!
Print Article
Article Information

Article ID: 24338

Last updated on: 09/14/2023 05:47 AM

Product: {{item.Name}}{{$index < (answer.Products.length-1) ? ', ' : ''}}

Partner Article

Tags: {{item.trim()}}{{$index < (answer.Keywords.length-1) ? ', ' : ''}}

Attachments:
Related Articles