EWS and DUO, or 2FA

stevenspray1 · ‎03-23-2022

Hi

Does anyone know if accounts protected with DUO, or 2FA, can log in at the following URL…

https://outlook.office365.com/ews/Exchange.asmx

We have a few service accounts that needs to log in here, but am unable to do so, only receiving the cryptic HTTP Error 503. I have a suspicion that it is because of DUO, but I can’t find any info to corroborate this supposition.

Any help appreciated.

Steven.

DuoKristina · ‎03-23-2022

How are you protecting Exchange Online with Duo?

Are you using Duo SSO for Microsoft 365? If so, did you enable WS-Trust to allow accounts log in access without 2FA from clients that cannot use a browser for authentication?

Are you using Duo Access Gateway? If so did you enable Basic Auth for those service accounts?

Duo, not DUO.

stevenspray1 · ‎03-23-2022

Hi DuoKristina

Yes we are using Duo SSO for Microsoft 365 with a Duo Authentication Proxy. No I did not enable WS-Trust to allow accounts login access without 2FA from clients that cannot use a browser for authentication.

Thank you very much, I will look at changing that! Just wondering how secure would that be? What is to stop illegitimate actors from using this avenue?

Steven

stevenspray1 · ‎03-23-2022

No worries, I read the whole page, all clear in there, thanks again DuoKristina!

DuoKristina · ‎03-23-2022

It is as secure as not having MFA in place, that is, it doesn’t make primary auth with password only any less secure than it was before. So, try to give the account only the privileges necessary for whatever it’s doing, and best practices for passwords apply (long and strong).

If you have Azure P1/P2 Conditional Access you can also look into locking down the networks from which these service accounts can log in (if it’s a printer service account, you know it should never try to auth from outside your building, etc).

Duo, not DUO.