Graph AuthenticationError trying to GET the Exchange Server On-Premises


In order to perform some hybrid testing, I performed the installation of Exchange Server 2019 (preview) on the Windows Server 2016 Server Core. Running the Hybrid Configuration Wizard, I was informed that the OAuth 2.0 protocol could not be configured. As long as OAuth is required for the Graph API, I manually enabled OAuth following this article.But even after the OAuth was enabled, the tests that I performed from Graph Explorer using GET method to a mailbox in Exchange On-Premises returned the following AuthenticationError error:

“Code”: “AuthenticationError”,

“message”: “Error authenticating with resource”


I checked some IIS and REST logs in Exchange On-Premises and confirmed that the requests weren’t even reached the Exchange. After some researching, I realized that there were missing configurations in the environment, probably because the Hybrid Configuration Wizard was unable to perform the OAuth configuration, the EvoSts Authentication Provider wasn’t created in the Exchange:

This is a requirement for the Graph API in hybrid scenario, in fact Azure AD relies on this Authentication Provider to be able to issue tokens on behalf of Exchange On-Premises.


The first step was finding the tenant’s initial domain. To obtain this information, use the following command from the Exchange Online Shell:

Get-AcceptedDomain | fl Domainname,InitialDomain

With the initial domain in hand, run the following command, replacing your initial domain:

New-AuthServer -Name EvoSts -Type AzureAD –AuthMetadataUrl<initial domain>/federationmetadata/2007-06/federationmetadata.xml

Then you can verify with Get-AuthServer command and validate that the new Authentication Provider has been successfully added:

It’s also necessary to add the namespaces used by Exchange in the AAD secutiry token service. Run these commands for ALL names used, including Autodiscover:

$x = get-MSOLServicePrincipal - -AppPrincipalId 00000002-0000-0ff1-ce00-00000000000

$x.ServicePrincipalnames.Add("https://<exchange namespace>/")

Set-MSOLServicePrincipal -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000 -ServicePrincipalNames $x.ServicePrincipalNames

Once those changes were made, it was possible through Graph Explorer executed HTTP methods in Exchange On-Premises.

2 thoughts on “Graph AuthenticationError trying to GET the Exchange Server On-Premises

  1. Hi,

    I was facing this issue. After following this error code changed to 401 saying unknown error.
    “error”: {
    “code”: “UnknownError”,
    “message”: “”,
    “innerError”: {
    “request-id”: “3dc4ef95-8767-4c12-821a-7096d050ed5a”,
    “date”: “2019-02-21T09:59:51”

    Any hint for this ? How to debug ?
    How can i check if graph calls (/messages) are reaching on prem exchange server in IIS logs ?

    1. Try to find any call from the graph on IIS logs. If the graph can reach on-Prem, you should find an autodiscover request like this in the IIS logs: GET /autodiscover/autodiscover.json (you can filter by “autodiscover.json” to make the search easier)

      Then, if the autodiscover response was successful the graph should call the HTTP method using the URL provided by the autodiscover, you can search on IIS logs something like this: GET /api/V2.0/Users(‘’)/Messages (you can filter by /api to make the search easier)

      If you didn’t find nothing on IIS frontend logs it means that the call doesn’t reaching on-Prem.

Leave a Reply

Your email address will not be published. Required fields are marked *