Exchange two-factor authentication (HEX 2FA) adds an additional layer of security for your users when using Outlook on the desktop and ActiveSync mobile apps. If the username and password is correct, and the mailbox has been enabled for HEX 2FA, the solution will check to see if the application making the connection is authorized to access this mailbox. If authorized, the connection attempt will succeed as normal – if not, you will be notified and asked to first authorize the application.

This solution will work with the following clients:

Important: only Microsoft Outlook 2016 or higher desktop clients for Windows and Mac are supported. Other non-Outlook email clients (Mac mail, Windows mail, etc) are not supported with Exchange 2FA.


Important: POP3, IMAP, SMTP and RPC/HTTP protocols are not supported with Exchange 2FA, and will be automatically disabled for users with this feature enabled.

Using Exchange 2FA

When first enabled by your Account Administrator, the next time one of your mail applications authenticates to the mail server with the correct username and password, it will be blocked from doing so. This will mean that the applications can no longer receive any new mail, and you will not be able to send any messages – existing messages that have been downloaded should still be accessible.

In Outlook you can expect to see the following password prompt:

OL prompt

You might also see one of the following messages in the Outlook status bar located in the lower right-hand corner:

OL bottom bar


  • You might not experience this until you next restart Outlook.
  • ActiveSync/mobile application may take a few hours before they are disconnected.

Receiving a "New Device" Notification

When the solution blocks an application, it will attempt to notify you of this. It will first attempt to send an SMS message to the ‘mobile’ number registered in the Exchange address book. If this is successful, you will see a notification with the following text:


If you don’t have a mobile number registered, or the solution fails to send the SMS, you will instead receive an email with the following content:

notification email

Note: you can register your mobile number in the company address book using My Services page or contact your Account Administrator to update this information.

Accessing the "Exchange Device Management Portal"

Granting an application access to your mailbox is done using the "Exchange Device Management Portal". The location of this portal is included in the above notifications, or you can navigate to it directly using: . Where XXX is your exchange domain that can be found under HostPilot > Home > Exchange server and settings.

To log in, you will see the familiar authentication pages used for Intermedia services:

login page

You can proceed to authenticate using the same credentials and 2FA method that you would use for any other Intermedia service.

Registering an application using the "Exchange Device Management Portal"

When you first access the portal you should see a page of "tiles" – each tile will represent an application that is attempting to connect to your mailbox:

EDM portal

You should notice that the "Token Assignment Status" of these are first set to "INACTIVE". This tells you that the application is using a valid username and password, but it is currently being blocked because it is not yet authorized.

To grant access to this application, select "Activate" from the gear icon:

Token Inactive

You will then be asked to confirm this action:


After which you will see that the "Token Assignment Status" has changed to ACTIVE:

Token Active

The application will now be able to connect to your mailbox and send/receive mail.

Note: depending on the application, you may need to restart and enter the password again before it reconnects to the mailbox.