SharePoint Security: How to Enable MFA & SSO for On-Premises SharePoint Server 2013/2016/2019

Introduction: Why SharePoint Security Matters More Than Ever
On-premises Microsoft SharePoint still powers collaboration for enterprises in finance, healthcare, education, and government—especially SharePoint 2016 and 2019. But attackers increasingly target unpatched servers, weak authentication, and legacy perimeter defenses. Meanwhile, regulators expect identity-centric controls like multi-factor authentication (MFA) and single sign-on (SSO).
Enabling modern identity on SharePoint can be tricky with native components alone. That’s where a proxy-based, no-code integration with your identity provider (IdP) helps you move fast.
In this article, you’ll learn:
- The key risks of on-premises SharePoint
- How vulnerabilities like CVE-2025-53770 can be mitigated
- Modern strategies to secure SharePoint
- How to add MFA & SSO for SharePoint server 2013/2016/2019
- How Datawiza Access Proxy (DAP) simplifies the process
Security Risks of On-Premises SharePoint
1) Known Vulnerabilities and CVEs
Critical SharePoint CVEs (e.g., CVE-2025-53770) show how quickly unpatched servers can be exploited for elevated access or data theft. Without proactive controls, outdated farms become easy entry points.
2) Weak Authentication
Password-only logins can’t withstand phishing, credential stuffing, or brute-force attacks.
3) Compliance Gaps
Sectors like finance and healthcare expect MFA and auditable access controls. Falling short risks fines and failed audits
How Datawiza Access Proxy Blocks CVE-2025-53770 and Similar Attacks

Datawiza Access Proxy (DAP) is an authentication reverse proxy that sits in front of SharePoint. All requests must pass DAP first, which lets you block exploit attempts before they ever reach SharePoint.
Why DAP Can Block Such Attacks
- Authentication Reverse Proxy Architecture DAP terminates authentication at the edge. Exploit payloads aimed at login/session endpoints never hit SharePoint directly.
- Modern Identity Enforcement DAP upgrades front-door auth to SAML/OIDC/OAuth with your IdP (Microsoft Entra ID, ADFS, Okta, Ping, etc.). Protocol weaknesses at the app tier are avoided because SharePoint only receives pre-authenticated, policy-vetted traffic.
- Mandatory MFA Even with stolen passwords, attackers can’t pass the second factor enforced at DAP/IdP.
- Conditional Access & Zero Trust Enforce policies by IP/location, device posture, risk score, time of day—malicious or noncompliant requests are stopped at the proxy.
- Application Isolation SharePoint isn’t directly exposed. Unauthenticated probes can’t reach internal endpoints without clearing DAP’s checks.
Bottom line: DAP adds a zero-trust front door for SharePoint, making exploitation of issues like CVE-2025-53770 far harder in practice.
Best Practices for On-Premises SharePoint Security
- Apply Security Updates Promptly Monitor Microsoft advisories and patch your SharePoint servers as soon as updates are available.
- Modernize Authentication with SSO & MFA Require all users (especially admins and remote users) to authenticate via SSO and MFA, even if your SharePoint server doesn’t natively support it.
- Deploy an Authentication Proxy A solution like Datawiza Access Proxy adds a strong security layer in front of on-premises SharePoint, requiring authentication for every request and blocking unauthenticated traffic.
- Review and Restrict Access Limit public access, audit permissions, and monitor for suspicious logins or file activity.
- Educate Users and Enforce Policy Train staff, leverage data loss prevention (DLP), and enable auditing for compliance.
Modern Strategies to Secure SharePoint
Enable Multi-Factor Authentication (MFA)
Use your IdP’s MFA (e.g., Microsoft Authenticator, Okta Verify, SMS/email OTP). Enforce MFA for all users—internal and external.
Add Single Sign-On (SSO)
Unify logins via Microsoft Entra ID (Azure AD), ADFS, Okta, Ping, or other IdPs. Users sign in once; policies are centrally managed.
Use Standards-Based Protocols
Adopt SAML, OIDC, and OAuth so SharePoint aligns with the same identity stack as your SaaS apps.
Secure Hybrid/Remote Access
Apply conditional access (geo/device/risk) at the edge. A proxy-based approach lets you enforce fine-grained rules before requests hit SharePoint.
The Challenge with Native/Traditional Approaches
Organizations often rely on ADFS, WAP, custom claims providers, or complex farm changes. Common hurdles:
- Time & complexity: Weeks or months of configuration and testing
- Maintenance: Upgrades and farm changes can break integrations
- Limited policy agility: Harder to apply dynamic, risk-based controls consistently
How Datawiza Secures On-Premises SharePoint
Datawiza Access Proxy (DAP) provides a no-code, proxy-based path to modern identity for SharePoint:
- MFA for SharePoint on-prem via your existing IdP (Entra ID, ADFS, Okta, Ping, etc.)
- SSO across apps (SharePoint + Oracle EBS, JD Edwards, PeopleSoft, custom portals)
- Fast rollout: often hours to days, not months
- Standards support: SAML/OIDC/OAuth
- Lower ops load: No SDKs in the app, fewer farm changes; policy lives at the proxy
Real-World Example
A global enterprise securing SharePoint 2019 for thousands of users needed MFA + SSO with Okta and tighter control for remote access.
With DAP:
- Deployment completed in hours
- MFA enforced uniformly at the edge
- Conditional access blocked unmanaged devices and suspicious geos
- Fewer moving parts inside the farm reduced maintenance risk
Best Practices for Ongoing SharePoint Security
- Patch promptly to mitigate new CVEs
- Monitor access; feed logs into your SIEM (e.g., Microsoft Sentinel)
- Least privilege & conditional access across all entry points
- User education on phishing/social engineering
- DR planning for SharePoint to preserve business continuity
FAQ — SharePoint Security & MFA/SSO
Does on-premises SharePoint support MFA? Yes – enforce MFA via your IdP (e.g., Entra ID, Okta, Ping). DAP ensures MFA happens before SharePoint is touched.
How long to enable SSO for SharePoint? Native paths can take weeks; proxy-based approaches like DAP are typically much faster.
Which protocols are supported? SAML, OIDC, OAuth—compatible with major IdPs (Entra ID, Okta, Ping, etc.).
Do I need to change my SharePoint farm? Often minimal or no application code changes. DAP sits in front and handles auth/policy centrally.
Summary
Modern SharePoint security means more than just patching—it requires strong authentication and proactive access control, especially for on-prem deployments. Datawiza helps enterprises modernize their legacy SharePoint security, with SSO, MFA, and centralized policy management.
Ready to secure your on-premises SharePoint 2013/2016/2019? Learn more or contact us here.



