Configure rich document collaboration using Exchange Server 2016, Office Online Server (OOS) and SharePoint Server 2016

Published Nov 03 2016 09:31 AM 11.6K Views


Update 11/27/2018: Few more updates to the article.

This post explains the configuration steps needed to get rich document collaboration working between Exchange Server 2016, SharePoint Server 2016, and Office Online Server, in your On-Premises environment.

Please use this link if you’re looking for configuration steps for Exchange Server 2016 On-Premises and SharePoint Online


When used together, Exchange Server 2016, SharePoint Server 2016, and Office Online Server provide a rich set of document collaboration features. For example, rather than directly attaching a document to an e-mail message you may now send a link to the document stored in OneDrive for Business (ODB). Outlook and Outlook on the Web (new name for OWA) will still display the file as if it was directly attached to the message like a classic attachment would be, as well as allow people to work with the file like they would with a classic attachment. Additionally, many people will be able to read and edit the same file at the same time while it is stored in OneDrive for Business (ODB). You can see a short demo of how this collaboration can look like right here.


The solution requires you have the following set up On-Premises:


The basic setup for these rich document collaboration features involves configuring OneDrive for Business (ODB) in the SharePoint 2016 farm, establishing a server-to-server trust (also referred to as S2S or OAuth) between SharePoint Server 2016 and Exchange Server 2016. Once completed, users will have the ability to attach ODB-based documents to email messages. Installing and configuring Office Online Server will introduce the additional capability of device-independent side-by-side viewing as well as edit & reply functionality in Outlook on the Web.

Note that editing documents is a premium feature of OOS and requires appropriate licenses!

Office Online Server

Install OOS and create a new OOS farm. Make sure the farm URL is accessible from Internet if you want users to be able to view and possibly edit documents via Outlook on the Web from outside of the corporate network: Example: For an OOS farm that is going to use same internal and external FQDN, with editing enabled:

New-OfficeWebAppsFarm -InternalURL "" -ExternalURL "" -CertificateName "Unified Certificate" -EditingEnabled

For an OOS farm that is going to use different internal and external FQDNs, with editing enabled:

New-OfficeWebAppsFarm -InternalURL "" -ExternalURL "" -CertificateName "Unified Certificate" -EditingEnabled

SharePoint Server 2016

In order to leverage the OneDrive for Business-based attachments on-premises, users must have a OneDrive for Business site hosted by SharePoint Server 2016 on-premises.

Follow steps from here, if the MySite Host (which gives you OneDrive for Business) is not already configured.

Additionally, to enable integration of Office Online Server for document previewing and online editing, WOPI bindings must be created in the SharePoint farm.

  • WOPI Bindings – WOPI bindings (or Web Application Open Platform Interface bindings) define related applications and available actions for a file extension. The New-SPWOPIBinding cmdlet is used to create these bindings between OOS and SharePoint. As with the other configurations, HTTPS is encouraged for production use, but non-production environments can be configured to communicate without SSL/TLS security by including the -AllowHTTP switch on the cmdlet: New-SPWOPIBinding -ServerName
  • S2S/OAuth Trust and Service Permissions – The SharePoint Server provides set of commands to configure Server to Server authentication, create App Principals and configure correct permissions that are needed to make this level of collaboration real.

The commands can be put together in a script to make life easy. A sample script for performing this configuration is provided as an attachment to this blog post. Usage:

  • Download the script
  • Save this script as a .ps1 file on your SharePoint Server 2016, for example ‘Config-SPSOAuth.ps1’.
  • Open the SharePoint Management Shell and execute the script.
  • Script will prompt for:
    • An ExchangeServer URL - the hostname provided to access Exchange Server 2016.
    • A SharePoint MySite Host - URL of the SharePoint website hosting the MySite collection.


.\Config-SPSOAuth.ps1 -ExchangeServer -MySiteHostUrl

Exchange Server 2016

The user’s mailbox must be hosted on an Exchange Server 2016 server on-premises to enable the document collaboration functionality. There are a few settings to configure on Exchange Server to enable the full experience.

  • OOS Endpoint - Configuring the OOS Endpoint in Exchange enables preview options for file attachments, as well as the edit and reply functionality. The OOS endpoint can be set in two locations - the Organization level, and at the Mailbox Server level. The Organization level is used to enable a global configuration for all servers with a single setting. This is useful for a single server, or single location deployment. It also serves as a fallback/failsafe when the endpoint configured at the mailbox server level is unavailable. The Mailbox Server level allows administrators to distribute client requests to multiple OOS servers. This can be done to balance load, or when building geographically dispersed deployments.

Set-OrganizationConfig -WacDiscoveryEndpoint
Set-MailboxServer -WacDiscoveryEndpoint

If you have Exchange 2013 servers in your organization, do not configure an OOS endpoint at the organization level. Doing so will direct Exchange 2013 servers to use OOS, which is not supported.

  • My Site Host URL - Exchange must know the My Site Host URL to enable ODB-based attachments. This can be set in two locations, the OWA Virtual Directory, and through an OWA Mailbox Policy. The preferred approach setting the My Site Host URL is through an OWA Mailbox Policy. It is recommended for all environment configurations, but it is a requirement when running an Exchange environment with a mixture of Exchange 2016 and Exchange 2013 servers. Mailbox policies allow features to be enabled selectively for users or groups. Each organization will have at least a Default policy which can be assigned to all users. Additional policies can be created using the New-OWAMailboxPolicy cmdlet. The OWA Virtual Directory can only be used to set the My Site Host URL when Exchange 2016 is the only version of Exchange that frontends client access traffic.

Example 1: Creating new policy for My Site host access:

New-OwaMailboxPolicy -Name ODBPolicy
Set-OwaMailboxPolicy -Name ODBPolicy -InternalSPMySiteHostURL -ExternalSPMySiteHostURL

Finally, assign the policy to mailboxes:

Set-CASMailboxPolicy -OWAMailboxPolicy ODBPolicy

Example 2: In this example, only users connecting to the server ‘Exch’ need to be enabled for document collaboration:

Get-OwaVirtualDirectory -Server -ADPropertiesOnly | Set-OwaVirtualDirectory -InternalSPMySiteHostURL -ExternalSPMySiteHostURL

This configuration is useful in scenarios where only specific servers are going to frontend the Outlook on the Web traffic

  • S2S/OAuth Trust and Service Permissions - Enable secure communication between the SharePoint 2016 and Exchange 2016 servers. Production environments should have traffic to both Exchange and SharePoint encrypted by HTTPS. Additionally, neither server should receive a certificate error when communicating with the other or else the integration will fail. The half of the trust configured on Exchange is configured via a script included with the Exchange 2016 installation binaries. The script can be found in the scripts directory, which is by default found at “C:\Program Files\Microsoft\Exchange Server\V15\scripts” (your installation path may vary based on your installation choices). This location is referenced by the $ExScripts variable within the Exchange Management Console.

& $ExScripts\Configure-EnterprisePartnerApplication.ps1 -ApplicationType Sharepoint -AuthMetadataUrl

Outlook support

Outlook for windows desktop fully supports the ODB attachments in fully On-Premises environment.
The following are the version and license requirements for the feature to work in Outlook for windows desktop client:
  1. Office 365 version 1704 (Build 8067.2115) and above
  2. Office 2019 with perpetual license
And a few additional considerations:
  1. The SharePoint My Site host must be added as local intranet/trusted in the browser setting of client computer
  2. The Outlook for windows desktop must be part of active directory domain, that hosts Exchange and SharePoint servers


For On-Premises deployments, only internal recipients (mailboxes) that are present in same organization as that of sender can be granted permissions on the OneDrive for Business document. The sender is informed via separate email if the automatic permission process fails. This means you cannot send ODB attachments to users outside of your on-premises organization. OneDrive for Business must be provisioned and initialized (the user has logged in at least once) for both the sender and the recipient. Without both the sender and recipient being provisioned and initialized the side-by-side documents preview will not work for the recipient. I wanted to thank Neil Hodgkinson, Jon Frick, Brian Day and Jason Haak for their help in putting this together! Bhalchandra Atre

Not applicable
You didn't mention that if this setup requires hybrid configuration of SP on-prem with OD4B? If so then how?

Why do I need to use OD4B if I've both SP and Exchange 2016 on-prem , so what is the point of using OD4B in Office 365?

I am unable to find information 'how to setup a OOS FARM? How Can I dedicate few servers for Word Editing, a Few for Powerpoint and Some server for Excel? How do I do that?

Not applicable
The article refers by ODB to the on-prem (=My Sites) functionality and not to OD4B from O365! This is stated at the beginning with a link to the other hybrid option.

OOS farm setup is described in the OOS deployment manual here:

Look for the section "Deploy a multi-server, load-balanced Office Online Server farm that uses HTTPS".

AFAIK there is no support to dedicate OOS farms for specific applications.

Not applicable

As pointed out in first few lines, the post explains how to configure the feature in a pure On-Premises scenario.

We already have another blog post for hybrid scenario (

Please check out OOS documentation for details @ OOS related queries (

Not applicable
i posted a video a while ago OOS with Exchange 2016 without SP and OD4B.

Not applicable
Without support in desktop Outlook this is not usable on-prem, is there a commitment and estimated time frame to fix that?

Does this work with any SharePoint hosted document or only with those from My Sites?

Not applicable
Outlook desktop support is expected in future. Outlook on the web (aka OWA), allows you to select the documents from My Sites.
Occasional Visitor

We have all on-premises Exchange 2019 mailboxes, Sharepoint 2016 with ODB on MySite running, Skype for Business 2019, and OOS 2016 for document rendering.

- OOS integration for Exchange 2019, SharePoint 2016 and Skype for Business is running normally.

- S2S integration between Exchange 2019 and Skype for Business is also running normally.

- All communication is via HTTPs with commercial SSL certificates.


However, we are quite stumped in completing this article's objective of having attachment link from within OWA to the on-premise's ODB.

Maybe somebody could shed some light on possible steps we missed?


1. SharePoint 2016->Exchange 2019 S2S configuration was completed using the Config-SPSOAuth.ps1 script (apparently the script requires SharePoint's App Management shared service to be installed beforehand)

2. Exchange 2019 -> SharePoint 2016 S2S was also done via Configure-EnterprisePartnerApplication.ps1 -ApplicationType Sharepoint script.

3. Created & applied a OWAMailboxPolicy to a test mailbox on Exchange 2019 & restarted the OWA App Pool.


After all the above, clicking the Attach link in OWA always opens the legacy Open window and we are still not able to display the OneDrive integration attachment choice as described.

Version history
Last update:
‎Apr 17 2020 11:15 AM
Updated by: