This section describes the design decisions associated with Autodiscover for system(s) built using ASD's Blueprint for Secure Cloud.
Estimated reading time: 2 minutes
Autodiscover is a mechanism for the configuration of a user’s email client with minimal user input. The required input from the user is their email address and password.
Autodiscover for a cloud environment varies from the process utilised when on-premises Exchange is leveraged. With a cloud environment, an Autodiscover Endpoint representing the domain is not available. Instead, Domain Name System (DNS) redirection and Hypertext Transfer Protocol Secure (HTTPS) redirection is leveraged to direct the Autodiscover client to a trusted Autodiscover Endpoint.
The high-level process for Autodiscover is:
- Autodiscover endpoint looks for a host named
- DNS provides the Internet Protocol (IP) address of the host
- Autodiscover client attempts communication utilising HTTPS (this fails)
- Autodiscover client requests redirection over Hypertext Transfer Protocol (HTTP) (This directs the client to
- Autodiscover client attempts communication utilising HTTPS. The communication is successful. However, the new Autodiscover endpoint does not have a server certificate for the requested hostname. This communication is then redirected using HTTPS redirection to an additional Autodiscover endpoint which can provide the required Autodiscover information.
- Autodiscover client completes the Autodiscover process with the new Autodiscover endpoint.
The above process requires appropriate External DNS records
|DNS Records (CNAME)
|A DNS record that points clients to the Autodiscover service.
Cloud native deployments
|CNAME Alias: Autodiscover
|Autodiscover will improve the user experience and is required to configure a user’s Outlook profile and inbox.
|Configured - Service Connection Point
|Autodiscover will continue to point to the internal Exchange Servers until all mailboxes have been migrated to Microsoft 365 to ensure functionality.
|Configured – DNS record
|To ensure autodiscover functions externally to the organisation.
Public DNS records should be maintained within the Australian Protective Domain Name (AUPDNS) service per ASD’s Gateway Security Guidance Package: Gateway Technology Guide.
Security & Governance
- None identified
- None identified