Autodiscover
This section describes the design decisions associated with Autodiscover for system(s) built using ASD's Blueprint for Secure Cloud.
Estimated reading time: 2 minutes
Autodiscover is a mechanism for the configuration of a user’s email client with minimal user input. The required input from the user is their email address and password.
Autodiscover for a cloud environment varies from the process utilised when on-premises Exchange is leveraged. With a cloud environment, an Autodiscover Endpoint representing the domain is not available. Instead, Domain Name System (DNS) redirection and Hypertext Transfer Protocol Secure (HTTPS) redirection is leveraged to direct the Autodiscover client to a trusted Autodiscover Endpoint.
The high-level process for Autodiscover is:
- Autodiscover endpoint looks for a host named
autodiscover.<DomainName>.com - DNS provides the Internet Protocol (IP) address of the host
autodiscover.outlook.com - Autodiscover client attempts communication utilising HTTPS (this fails)
- Autodiscover client requests redirection over Hypertext Transfer Protocol (HTTP) (This directs the client to
autodiscover-s.outlook.com) - Autodiscover client attempts communication utilising HTTPS. The communication is successful. However, the new Autodiscover endpoint does not have a server certificate for the requested hostname. This communication is then redirected using HTTPS redirection to an additional Autodiscover endpoint which can provide the required Autodiscover information.
- Autodiscover client completes the Autodiscover process with the new Autodiscover endpoint.
The above process requires appropriate External DNS records
Design Decisions
| Decision Point | Design Decision | Justification |
|---|---|---|
| DNS Records (CNAME) | Alias: Autodiscover Target: autodiscover.outlook.com | A DNS record that points clients to the Autodiscover service. |
Cloud native deployments
Design Decisions
| Decision Point | Design Decision | Justification |
|---|---|---|
| Autodiscover | CNAME Alias: Autodiscover Target: autodiscover.outlook.com | Autodiscover will improve the user experience and is required to configure a user’s Outlook profile and inbox. |
Hybrid deployments
Design Decisions
| Decision Point | Design Decision | Justification |
|---|---|---|
| Autodiscover internally | Configured - Service Connection Point | Autodiscover will continue to point to the internal Exchange Servers until all mailboxes have been migrated to Microsoft 365 to ensure functionality. |
| Autodiscover externally | Configured – DNS record | To ensure autodiscover functions externally to the organisation. |
Note
Public DNS records should be maintained within the Australian Protective Domain Name (AUPDNS) service per ASD’s Gateway Security Guidance Package: Gateway Technology Guide.
Related information
Security & Governance
- None identified
Design
- None identified
Configuration
- None identified