Export (0) Print
Expand All

Establishing the Environment for Clients


Topic Last Modified: 2013-06-24

Client requirements for the two-factor authentication environment in Office 365 dedicated plans are presented in this section, including the following topics:

The following information outlines the requirements to implement either an RSA SecureID or Swivel Secure PINsafe two-factor authentication solution to support web browser access to an Exchange Online environment using an Internet-based client.

  • To use two-factor authentication with Exchange Online, your organization must provide (a) the RSA SecureID or Swivel Secure PINsafe back-end infrastructure within their on-premises environment and (b) the SSL certificate generated by a public certificate authority for the URL used for two-factor authentication. Microsoft provides, activates, and supports the components that pass the authentication requests to this back-end infrastructure.

  • Only the “premium” (full client) version of Outlook Web App is supported; the use of the “light” version of Outlook Web App with mobile devices is not supported.

  • To learn about suitable web browsers for Outlook Web App when used in conjunction with a two-factor authentication solution, see the Office.com article Software requirements for Office 365 for business. You can consider using other browsers supported by your organization’s chosen two-factor authentication solution; compatibility testing of these browsers with Office 365 is your organization's responsibility.

  • The client web browser used for Outlook Web App access must have the Outlook Web App URL for Exchange Online listed as a trusted local intranet site.

  • Due to the need for a client system to be joined to the Active Directory account domain of the Customer Forest, two-factor authentication functionality cannot be used by Exchange ActiveSync (EAS) devices or any other mobile device.

To provide a seamless single sign-on experience for an intranet-based client, you must follow specific configuration steps to enable the user’s validated credentials to be passed between the client web browser and Exchange Online. When this configuration is established, Integrated Windows Authentication will be used to enable the web browser of the client to interact with the Outlook Web App feature of Exchange Online. The two configuration options available are (1) setting a domain policy through the Group Policy object (GPO) feature of Active Directory or (2) the manual configuration method.

For client systems using the Internet Explorer web browser, the Group Policy features of Active Directory can be used to propagate a Site to Zone Assignment domain policy to each Internet Explorer browser. The domain policy will address the placement of specific site URLs in the Local Intranet zone defined for the browser.

To prepare to execute the Site to Zone Assignment domain policy, contact your Service Delivery Manager to obtain the URL for the Outlook Web App URL of your Exchange Online environment.

The Site to Zone Assignment List policy setting associates sites to zones using the values for the Internet security zones shown in the following table.


Zone Value Zone Name


Intranet zone


Trusted sites zone


Internet zone


Restricted sites zone

If you set this policy setting to Enabled, you can enter a list of sites and their related zone numbers. The association of a site with a zone ensures that the security settings for the specified zone are applied to the site.

Use the following steps to modify the Site to Zone Assignment domain policy:

  1. Within your Active Directory environment, invoke the Local Group Policy Editor by executing the following:


  2. Open the console tree and navigate to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page.

  3. Double click the Site to Zone Assignment List, select Enabled, and in the Options area click the Show… button.

  4. In the Show Contents dialogue box, type the Outlook Web App URL for Exchange Online in the Value name field and type 1 as the Value field. This value represents the Intranet Zone as shown in preceding table.

When the Site to Zone Assignment domain policy is enabled and applied, all existing URLs for all zones within Internet Explorer will be overwritten and the user will not be able to apply any changes. If other URL values must be set for other zones, these URLs should be added to the Show Contents dialogue box by following the Local Group Policy Editor procedures described above.

The zone assignments for the user will be refreshed when the user logs onto their client system. An administrator can execute the following to have the values immediately applied:

gpudate /force

In the Internet Options windows of Internet Explorer, the Enable Integrated Windows Authentication attribute also must be set. By default, this setting is enabled. If a GPO is required to force the attribute to be the correct value, EnableNegotiate is the registry key that must be set to true. The path to the attribute is displayed in the lower border area of the Registry Editor as shown in the following screen shot.


When the policy has been applied, the Integrated Windows Authentication attribute should appear as being activated in the Internet Options view of Internet Explorer as shown below.

As noted at the bottom of the snapshot shown, any change to the Enable Integrated Windows Authentication attribute will take effect when Internet Explorer is restarted.

Manual configuration methods can be used for Internet Explorer and it must be used for all other web browsers.

The following steps describe the manual configuration method to establish a trust between an Internet Explorer-based client and the Outlook Web App URL for Exchange Online:

  1. In Internet Explorer, from the Tools menu, select Internet options and in the Internet Options dialog box, select the Security tab.

  2. On the Security tab, click Local intranet and then click the Sites button.

  3. In the Local intranet dialog box, click the Advanced button.

  4. In the next dialogue box, in the Add this website to the zone field, type the Outlook Web App URL for Exchange Online and click the Add button.

  5. lick Close or OK to close all dialogue boxes.

Microsoft does not provide direct support for web browsers other than Internet Explorer. To manually configure a web browser other than Internet Explorer, seek guidance from the browser’s manufacturer.

As indicated earlier, the client system must be joined to the Active Directory account domain of the Customer Forest; client systems that do not run Windows are unable to meet this requirement.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2015 Microsoft