We will see how the authentication works when accessing Exchange Online Mailbox in Outlook Web Access. Before looking at the OWA authentication flow, we need to understand the Identity Models available in Office 365.
- Cloud Identities – User accounts provisioned directly in Azure Active Directory using Office 365 Portal or Azure AD PowerShell.
- Synchronized Identities with password hash – User accounts and the hash of their on-premises Active Directory password is synchronized to azure active directory.
- Federated Identities – Federation established using ADFS and User accounts synchronized to the Azure Active Directory from On-Premise Active directory.
Federated Identity model is the preferred Identity model for most of the Organization. Federated Identities model uses Active Directory Federation Service technology to establish a federation trust between the Office 365 tenant and the on-premises Active Directory. With the Federated Identity model, when a user tries to access an Office 365 workload, he will get an SAML security token from ADFS, which is handed to Azure AD as proof for being allowed to access the respective workload.
Below diagram explains the authentication flow for Internal OWA client accessing Exchange Online Mailbox.
- OWA web client from Internal network tries to access Exchange Online using Outook.office365.com URL, Exchange online redirect the web client to authentication with Azure AD login.microsoftonline.com
- OWA client will be redirected to login.microsoftonline.com and login screen appears to enter the credential, once the user enters the user name (firstname.lastname@example.org), Azure AD will check whether the domain is federated or not. In our case it is federated domain, Azure AD will redirect the web client to authenticate with federated identity, which is sts.superhybridcloud.com.
- Sts.superhybridcloud.com will resolve to ADFS server available in On-Premise. Windows Integrated Authentication will be configured on ADFS and the authentication will automatically happen in the backend using logged in credential.
- ADFS will validate the credential with AD and retrieve the necessary claims related information from AD.
- AD validates the credential and provide the requested claims information to ADFS.
- ADFS server present a token holding the claims about the user to web client
- OWA client will present the received token to Azure AD and authentication will be successful, the web client will be redirected back to outlook.office365.com
- Authentication successful and the OWA client will go to Exchange online with successful authentication status and user can access his mailbox in OWA.
Below diagram explains the authentication flow for the Internet OWA client accessing his Exchange Online Mailbox.
If the OWA web client is from internet, all the steps explained above will be applicable. Only difference is, the redirection to STS is through ADFS Proxy or Web Application Proxy servers and also, the web client will be asked to authenticate via Form based authentication page.
Hope you are able to understand the authentication flow for Exchange Online when using Outlook web access. We will see how the outlook authentication works when accessing Exchange Online Mailbox. For any additional clarification, please post your comments.