Scroll to top

Our Blog

How to Use Microsoft Entra ID with Hosted Exchange and Amazon WorkMail

Not using Microsoft 365 but still want to manage users centrally with Microsoft Entra ID? In this post, we explore how Entra ID can integrate with third-party hosted email platforms like Hosted Exchange and Amazon WorkMail.

It’s ideal for small UK businesses that want to apply identity best practices like Multi-Factor Authentication and unified user control — without migrating to full Microsoft cloud email.

Why Use Entra ID with Hosted Email?

  • Secure access to multiple services with a single identity
  • Reduce password sprawl and improve offboarding
  • Enable MFA without relying on a full Microsoft 365 subscription

Option 1: Hosted Exchange Providers

Many Hosted Exchange providers offer no direct integration with Entra ID or SAML. However, you can still gain some benefit through workarounds.

Key Considerations

  • Email authentication typically uses basic credentials (SMTP/IMAP/ActiveSync)
  • SSO is rarely supported unless you're using hybrid AD or a SCIM connector
  • Entra ID Free Tier has no built-in support for mail protocols

Workarounds

  • Use Entra ID as your identity source for everything except email
  • Ensure user UPNs match email addresses for easier coordination
  • Where possible, ask your provider if they support federated login or directory sync

Option 2: Amazon WorkMail

Amazon WorkMail supports SAML authentication and directory integrations, which makes it a more flexible option for Entra ID integration.

Integration Steps (SAML)

  1. In Entra ID, create a new Non-Gallery application
  2. Enable SAML-based SSO
  3. Use WorkMail's documentation to gather ACS URL and Entity ID
  4. Paste metadata or manually configure in AWS WorkMail
  5. Assign users in Entra ID to this app

Alternative: Directory Sync

  • Amazon supports integration with Entra Domain Services (requires P1)
  • This allows login to WorkMail using Entra credentials in hybrid scenarios

Free Tier Limitations

  • No SMTP or IMAP integration support
  • SCIM provisioning not available unless using an identity bridge
  • SAML works only with services like WorkMail that support custom IdPs

When Is It Worth Doing?

  • You want Entra ID to manage identity for apps and local logins, not just email
  • You’re using WorkMail or another SAML-capable mail provider
  • You’re planning a gradual move to Microsoft 365 or other cloud services

Best Practice Recommendation

Even if full SSO isn’t possible, Entra ID can still serve as your authoritative identity directory — with MFA, password policy, and user lifecycle management.

Download the Full Microsoft Entra ID Setup & SSO Guide

You can download our full Microsoft Entra ID Setup & SSO Guide (PDF) <-- Here.

Contact Us
info@hybrid-it.co.uk
About Us

Hybrid IT Services provides professional computer repairs, IT support, and consultancy services to homes and businesses across Northumberland and Newcastle upon Tyne.

Update cookies preferences