Use certificates and kerberos to authenticate instead of usernames and passwords.

Kerberos Constrained Delegation (KCD) eliminates the use of basic authentication for email. The devices are issued certificates within their Exchange ActiveSync profile, instead of username and password authentication for email. SEG uses the unique user certificate to request secure Kerberos tickets from the domain controller, and embeds these tickets with the ActiveSync request to Exchange. In this way, authentication and authorization is secured by Workspace ONE UEM powered by AirWatch, while also providing a seamless user experience.

The following diagram shows a typical SaaS deployment.

KCD Architecture

It is not required that the PKI infrastructure should be part of the domain.