Forum Discussion

aleemsyed12's avatar
aleemsyed12
Copper Contributor
Dec 12, 2025

TEST-OAuthConnectivity | The remote server returned an error: (403) Forbidden

Hello Exchange Tech Community,

 

I have setup a lab environment of Exchange Server 2016 in Hybrid Configuration. I can successfully onboard and offboard mailboxes.  OnPrem Exchange Server is

I have a Microsoft 365 Business Basic subscription for Exchange Online.  Entra ID Sync is working seamlessly.  Email flow between OnPrem and EXO and vice versa work perfectly.

When I am testing OAuth functionality from OnPrem to EXO, I am getting this error highlighted in yellow

Do I need assign any role to synchronized user in Entra ID ? Currently, they are just MEU in EXO.

When OAuth is test from EXO to OnPrem, I am getting this error

Please advise.

 

Test-OAuthConnectivity 403 Forbidden

2 Replies

  • aleemsyed12's avatar
    aleemsyed12
    Copper Contributor
    Dec 22, 2025

    All right. FB lookup from EXO to OnPrem direction works but not vice versa.

    Here are some snippets of the configuration

     

    Test-OAuth from EXO to OnPrem passes with flying colorsEXO side Test-OrgRel fails just like OnPrem side (shown further below)

     

    EXO side IOC
    EXO side OrgConfigEXO side OrgRelationshipOnPrem side FederationTrust passes successfullyOnPrem side OrgRel Test fails.OnPrem side IntraOrg ConfigurationOnPrem side IOCOnPrem side OrgRelationshipOnPrem side AuthConfig has same certificate as Get-ExchangeCertificate cmdletOnPrem side Get-ExchangeCertificate. Certificate has private key and valid.OnPrem side Availability address space.

     

  • rogerval's avatar
    rogerval
    MCT
    Dec 15, 2025

    A 403 Forbidden during the OAuth test normally indicates that the server-to-server OAuth configuration is incomplete between Exchange On-Prem and Exchange Online.
    Key items to verify:
    1. The Autodiscover and EWS URLs must be published externally
    Hybrid OAuth requires EXO to reach your on-prem EWS and Autodiscover endpoints over HTTPS.
    If the URL is internal-only or the certificate isn’t trusted externally, EXO will return a 403.
    2. The OAuth certificate on the on-prem Exchange server must be valid and assigned
    Check with:
    Get-AuthConfig
    Get-ExchangeCertificate
    Make sure the certificate used by AuthConfig is:
    •    Trusted
    •    Not expired
    •    Has a private key
    •    Assigned to the Auth service
    3. The Intra-Organization Connector must point to the correct Autodiscover URL
    Run:
    Get-IntraOrganizationConnector
    Confirm the TargetAutodiscoverEpr matches your external Autodiscover URL.
    4. No additional Entra ID roles are required
    A synchronized user does not need extra roles for OAuth. MEU is fine. This error is not permission-related at the user level.
    5. The EXO → On-Prem error about “account not provisioned” usually means missing mailbox GUID
    EXO expects the on-prem user object to contain the correct Exchange attributes (msExchMailboxGuid, targetAddress, etc.).
    Incorrect or missing values can cause OAuth/claims validation to fail.
    In most cases, correcting the Autodiscover/EWS URLs and re-running Hybrid Configuration Wizard fixes the issue.

Resources