Dedicated Hybrid App: temporary enforcements, new HCW and possible hybrid functionality disruptions

Has anyone else tried to configure online archiving for on-premises mailboxes with a 3rd party app hybrid app active?
I went through the process in our test and production environments with no issues, until I had to enable an online archive hosted in Exchange Online for an on-premises mailbox.

While the archive provisioned correctly, I haven't been able to get the managed folder assistant to successfully move content into the archive.

The mailboxes MRM diagnostic logs indicate a potential issue with the OAuth token being retrieved/used by Exchange.

MailboxLog  : 17/08/2025 5:42:22 PM Exception: Microsoft.Exchange.MailboxAssistants.Assistants.ELC.ElcEwsException:
              ELC EWS failed with error type: 'FailedToGetUserConfiguration'. Details: ExchangeImpersonation SOAP
              header must be present for this type of OAuth token. ---> System.Web.Services.Protocols.SoapException:
              ExchangeImpersonation SOAP header must be present for this type of OAuth token.

I was able to recreate the issue in our test environment and removing the setting override seemed to get it into gear. We didn't have any mailboxes in this state (on-prem mailbox, exchange online archive) prior to setting up the 3rd party hybrid app, but it looks to be related. I did go through a few changes in troubleshooting the issue, but the 2 environments were configured the same way when the issue presented itself.

Interested if anyone else has encountered this or has some insight. We have a large mailbox (~115GB) that needs migrating, but would prefer to keep the settings override in place.

Edit:

LukasSMSFT​ I've tried to add the details on this but they appear to have disappeared into the void. Here's a condensed version of the original comment, happy to provide more info as/if required. I haven't raised a support case for this, as it's annoying but not a major issue for me at the end of the day.

Issue was apparent in both of these builds:

• Version: Exchange 2016 CU23 May25HU
  Build Number: 15.01.2507.057
  and the August 25 SU

To recreate the issue:

• Configure the 3rd party app using the provided script
• Remove the certificates from the keyCredentials of the 1st party hybrid app
• Enable the settings override and validate that sign in logs are appearing for the service principal
• For an on-premises user, or shared mailbox (I tried both) - enable a remote archive in Exchange Online. Not that there would be a difference, but I recreated the issue using the GUI and PS
• Wait for the delta syncs to occur and validate the archive GUID and details are populated in the on-prem object
• Assign a retention policy to the mailbox with a default tag that has a move to archive setting (I did not try a personal tag).
• Wait 24 hours, or push the managed fodler assistant along with PS.
• Check the statistics of the online archive, if no content is found, generate the mailbox diagnostic logs and see the failures.
• Re-upload the certificates to the 1st party app by running the HCW and selecting the option for it
• Disable the settings override to prevent the use of the 3rd party hybrid app
• Wait a bit, and restart the managed folder assistant.
• Check the mailbox diagnostic logs to see if there are failures, check the archive statistics and validate content now exists.
   

I went down a bit of a rabbit hole before finding this, and so I did other changes in our test environment. However I gave it ~24 hours after doing the other changes with no resolution. It was just a few minutes after re-enabling the 1st party app that the archving process started working.