I have a mailbox in on prem exchange server (which is in hybrid mode) abc@onprem.com and i am trying to access this via graph api (/messages). This works perfectly if i do this in graph explorer, but fails when i do via postman.

Required application permission is given in Azure app registration portal. Implementation/postman uses grant_type as client_credentials with certificate and this works perfectly for cloud users.

Response of API

{ 'error': {
    'innerError': {
        'date': '2019-02-28T14:17:45', 
        'request-id': '6a85f8c3-4e13-4cf0-84b2-ddc934241afd'
    },
    'message': '', 
    'code': 'UnknownError'
    }}

IIS Logs

Added some headers like www-authenticate for logging and found that below is the error in IIS Log for on prem.

2019-03-04 04:05:13 172.31.10.98 GET /api/V2.0/Users('abc@onprem.com')/Messages &CorrelationID=;&cafeReqId=2823c302-3c84-4847-b586-accced4b6dd5; 443 - 20.190.145.177 PostmanRuntime/7.6.0 - 401 0 0 332 Bearer+eyJ0 blah blah.....blah blah.....hSd mail.onprem.com - - - Bearer+client_id="00000002-0000-0ff1-ce00-000000000000",+token_types="app_asserted_user_v1+service_asserted_app_v1",+authorization_uri="https://login.windows.net/common/oauth2/authorize",+error="invalid_token" 2000001;reason="This+token+profile+'V1S2SAppOnly'+is+not+applicable+for+the+current+protocol.";error_category="invalid_token"

1. What would be reason for this authentication failure ?
2. Is there something worng with client credentials grant flow (in graph explorer as we sign in and do query auth flow might not be client credentials) ? For graph explorer calls i see cs-username like `S-1-5-21-1392771109-4043059535-3934338706-1147`  in IIS Log which doesn't come for postman calls.
3. We are using self signed certificate on exchange server , can this lead to this issue ? If so wondering how everything is working from graph explorer.