Blog Post

Exchange Team Blog
7 MIN READ

The Microsoft Hybrid Agent Public Preview

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Feb 05, 2019
Update 4/9/2019: to read about additional features released in the Hybrid Agent, please go here. The moment you’ve all been waiting for has arrived! We are pleased to announce the Microsoft Hybrid...
Updated Jul 01, 2019
Version 2.0
announcements
exchange online
hybrid
on premises
Anonymous's avatar
Anonymous
Mar 01, 2019
I wanted to post this question at blog https://blogs.technet.microsoft.com/exchange/2017/12/06/announcing-hybrid-modern-authentication-for-exchange-on-premises , since comments are closed there asking it here.

I have a mailbox in on prem exchange server (which is in hybrid mode) abc@onprem.com and i am trying to access this via graph api (/messages).

This works perfectly if i do this in graph explorer, but fails when i do via implementation.

Required application permission is given in Azure app registration portal.

Implementation uses grant_type as client_credentials with certificate and this works perfectly for cloud users.

Response of API

{ ‘error’: {

‘innerError’: {

‘date’: ‘2019-02-28T14:17:45’,

‘request-id’: ‘6a85f8c3-4e13-4cf0-84b2-ddc934241afd’

},

‘message’: ”,

‘code’: ‘UnknownError’

}}

Form you previous comment i found that calls are reaching on prem exchange server through IIS Logs

For call came from graph explorer

2019-02-28 15:02:31 172.31.10.98GET /api/V2.0/Users(‘abc@onprem.com’)/Messages/$count &CorrelationID=;&cafeReqId=bc8e8aef-de46-4c72-bcf4-b4f567bc45dd; 443 S-1-5-21-1392771109-4043059535-3934338706-1147 20.190.145.177Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_14_3)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/71.0.3578.80+Safari/537.36 – 200 0 0 287

For call from implemented app

2019-02-28 15:00:05 172.31.10.98GET /api/V2.0/Users(‘abc@onprem.com’)/Messages/$count &CorrelationID=;&cafeReqId=c504b658-b9df-43b5-9dbb-8e83050c3d2f; 443 – 20.190.128.103- – 401 0 0 102

How to debug why Authentication is failing for on prem mailboxes and reason for this ? Is there any logs which i can refer ?

Also what would be reason for this authentication failure , could it be because that token is provided by azure AD which is authenticated against onprem ?

Should id do Set-MSOLServicePrincipal -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000 for app id registered in in Azure as well ?

Also curious about which app “00000002-0000-0ff1-ce00-000000000000” belong to ?