Skip navigation

Duo for Outlook Web App (OWA) on Exchange Server 2007

Last Updated: April 3rd, 2019

Duo adds two-factor authentication to Outlook Web App (OWA) logins, complete with inline self-service enrollment and Duo Prompt.

Walkthrough Video

First Steps

Check your server versions before starting. This integration works with Exchange Server 2007 (64-bit only), running on Windows Server 2008 R1 or R2.

If you are running a newer version of Exchange Server, see the instructions for Exchange Server 2010 or Exchange Server 2013 and later.

Connectivity Requirements

This application communicates with Duo's service on TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review this Duo KB article.


  1. Sign up for a Duo account.
  2. Log in to the Duo Admin Panel and navigate to Applications.
  3. Click Protect an Application and locate Microsoft OWA in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname. (See Getting Started for help.)
  4. Download the Duo OWA Installer Package for Exchange 2007. View checksums for Duo downloads here.
  5. Use NTP to ensure that your server's time is correct (see

Treat your secret key like a password

The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

Deployment Tip

Try setting your application's "New user policy" to "Allow Access" while testing. Users that Duo knows about will be prompted to authenticate with Duo, while all other users will be transparently let through.

Users that have a phone (or hardware token) associated with them will see the authentication prompt. All other users will be able to add their phone through Duo's self-service enrollment (see Test Your Setup).

Then (when you're ready) change the "New user policy" to "Require Enrollment." This will prompt all users to authenticate (or enroll) after they type in their usernames and passwords.

Run the Installer

Duo Security's installer needs to be installed on the Microsoft Exchange server(s) where the Client Access Server role exists.

Open the Duo Security installer with administrative privileges to run it. Accept the license agreement and enter your integration key, secret key, and API hostname from the Duo Security application page when prompted:


Test Your Setup

To test your setup, log into OWA. Duo's enrollment or login prompt should appear after you enter your username and password:



Need some help? Take a look at the OWA Frequently Asked Questions (FAQ) page or try searching our OWA Knowledge Base articles or Community discussions. For further assistance, contact Support.

Network Diagram

  1. OWA connection initiated
  2. Primary authentication
  3. Exchange Client Access Server connection established to Duo Security over TCP port 443
  4. Secondary authentication via Duo Security’s service
  5. Exchange Client Access Server receives authentication response
  6. OWA session logged in