You can enable certificate-based authentication (CBA) for Exchange Active Sync (EAS) on the Exchange Server (for TLS testing) by modifying specific values on the IIS server. Office 365 or Exchange online does not directly support certificate-based authentication. You must set up dual authentication, that is, modern authentication and CBA, to setup certificate-based authentication for Office 365. You must have Active Directory Federation Service (ADFS) setup to do certificate-based authentication. Office 365 authenticates through the modern authentication, and certificate is presented to the ADFS for authentication. On the Boxer profile, modern authentication and certificate-based authentication needs to be enabled that is, AccountUseOauth must be enabled. See the Workspace ONE Boxer Admin Guide documentation for more details.


  1. From the IIS console, navigate to the EWS endpoint and ensure the EWS endpoint accepts the client certificates.

  2. For client certificates to be allowed on the Exchange server, the Exchange server must have Active Directory Client Certificate Authentication installed and enabled in IIS.