I got a question from our security department that asked me why they could login to their OWA using the autodiscover address?
We have published OWA on the adress https://mail.ourdomain.com/owa and there our reverse Proxy gives the user a OTP challenge on top of the username and password. Now somebody have found out that by usinghttps://autodiscover.ourdomain.com/owa they get access without getting the challenge because it's not applied for autodiscover.
Is there a way in Exchange to prevent the users from doing this? Or is this something that has to be done in the reverseproxy? Tha reverse Proxy solution by the way is F5.
Happy holidays!
Micke