In order to perform some hybrid testing, I performed the installation of Exchange Server 2019 (preview) on the Windows Server 2016 Server Core. Running the Hybrid Configuration Wizard, I was informed that the OAuth 2.0 protocol could not be configured. As long as OAuth is required for the Graph API, I manually enabled OAuth following this article.But even after the OAuth was enabled, the tests that I performed from Graph Explorer using GET method to a mailbox in Exchange On-Premises returned the following AuthenticationError error:
“message”: “Error authenticating with resource”
I checked some IIS and REST logs in Exchange On-Premises and confirmed that the requests weren’t even reached the Exchange. After some researching, I realized that there were missing configurations in the environment, probably because the Hybrid Configuration Wizard was unable to perform the OAuth configuration, the EvoSts Authentication Provider wasn’t created in the Exchange:
This is a requirement for the Graph API in hybrid scenario, in fact Azure AD relies on this Authentication Provider to be able to issue tokens on behalf of Exchange On-Premises.
The first step was finding the tenant’s initial domain. To obtain this information, use the following command from the Exchange Online Shell:
Get-AcceptedDomain | fl Domainname,InitialDomain
With the initial domain in hand, run the following command, replacing your initial domain:
New-AuthServer -Name EvoSts -Type AzureAD –AuthMetadataUrl https://login.windows.net/<initial domain>/federationmetadata/2007-06/federationmetadata.xml
Then you can verify with Get-AuthServer command and validate that the new Authentication Provider has been successfully added:
It’s also necessary to add the namespaces used by Exchange in the AAD secutiry token service. Run these commands for ALL names used, including Autodiscover:
$x = get-MSOLServicePrincipal - -AppPrincipalId 00000002-0000-0ff1-ce00-00000000000 $x.ServicePrincipalnames.Add("https://<exchange namespace>/") Set-MSOLServicePrincipal -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000 -ServicePrincipalNames $x.ServicePrincipalNames
Once those changes were made, it was possible through Graph Explorer executed HTTP methods in Exchange On-Premises.