In an era of sophisticated phishing, relying solely on passwords to protect your OWA and EAC environments is a major risk. Because Exchange lacks built-in MFA for web access, organizations must bridge this gap using either Microsoft Entra ID or third-party solutions like ManageEngine ADSelfService Plus. Deploying this integration is a vital step in hardening your on-premises email infrastructure.

Deployment Workflow Implementing this solution involves a two-step process:

  1. Server Configuration: Defining MFA requirements in the ADSelfService Plus admin portal.
  2. Endpoint Integration: Installing the dedicated IIS module on the Exchange server to trigger MFA during the login sequence.
MFA for OWA & Exchange Guide

Securing OWA & Exchange with ADSelfService Plus MFA

Published on: April 15, 2026 | Category: Cybersecurity

Passwords alone are no longer enough to protect your corporate email. By integrating ADSelfService Plus with your Exchange environment, you can enforce Multi-Factor Authentication (MFA) for both OWA and the Exchange Admin Center (EAC).

Prerequisites

  • ADSelfService Plus (Professional Edition) installed.
  • SSL Certificate configured (HTTPS is mandatory for MFA).
  • Exchange Server 2019 or Subscription Edition.

Step 1: Configure MFA Policy

  1. Log in to the ADSelfService Plus admin portal.
  2. Navigate to Configuration > Self-Service > Multi-factor Authentication.
  3. Go to the MFA for Endpoints tab and select MFA for OWA/EAC.
  4. Choose your Policy and check Enable MFA for OWA/EAC login.
  5. Select your preferred authenticators (Microsoft Authenticator, Push Notifications, etc.) and click Save.

Step 2: Install the MFA Connector on Exchange

The MFA Connector acts as the bridge between IIS and your ADSelfService Plus server. Run these commands in an elevated PowerShell window:

# 1. Download and extract the AdsspOWAIISModule.zip to your server
# 2. Navigate to the extracted folder in PowerShell

.\setupIISMFAModule.ps1 Install

For custom virtual directories, use the following syntax:

.\setupIISMFAModule.ps1 install -virtualDirectory "owa"

Step 3: Verify the Integration

Restart IIS by running iisreset in your terminal. Attempt to log in to OWA; after the initial password check, you should be challenged by the ADSelfService Plus MFA screen.

๐Ÿ“– Implementation & Blog Series

Security & MFA

How I Configured MFA for Exchange OWA and Windows Endpoints Using ManageEngine ADSelfService Plus

A step-by-step implementation guide on enforcing Multi-Factor Authentication for both web-based mail access and local workstation logins.

โ†’
Infrastructure

How I Secured ADSelfService Plus Web Server with an Internal CA Certificate

Procedures for replacing default self-signed certificates with trusted internal CA certs to eliminate browser warnings and encrypt management traffic.

โ†’
Troubleshooting

Why Users Werenโ€™t Prompted for MFA on the Web Portal (And How I Fixed It)

A deep dive into policy inheritance and network requirements that often prevent MFA triggers during the user enrollment process.

โ†’