Configuring Teams calendar access for Exchange on-premises mailboxes

@João Loureiro yeah got it now. We use KEMP so I have made the necessary changes in there and now it is available externally but still hasn't solved by problem :( Back to the drawing board.

@João Loureiro Working now :) 

Maybe someone has a hint,

our calendar was working fine, but because of Hafnium we want to disable direct access to our Exchange, but want to keep the calendar working.

Our Hybrid Setup was fully working, until we disable access to our exchange which is logical.

Is there any list of IPs O365 ist using so we can whitelist them because the article says clearly autodiscover has to be reachable but we won´t it to be reachable for everyone.

regards

@bfrohnh , here it is:
https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-world... 
https://docs.microsoft.com/en-us/microsoft-365/enterprise/additional-office365-ip-addresses-and-urls... 

@bfrohnh - @Mirela_Buru has provided the links requested above.

Keep in mind that you need to allow both the 'Exchange Online ' required to allow Hybrid to continue working and the 'Skype for Business Online and Microsoft Teams' to allow access to Exchange EWS from the Teams Scheduling middle-tier service. 

We have an issue with creating a meeting on behalf of via the Teams AddIn for on-premises mailboxes for a specific domain. With domain1.com as delegator there are no problems, only with domain2.com as delegator...

Calendar is displayed in Teams without problems, meetings for own mailbox are possible, FreeBusy works. The (new) test at https://testconnectivity.microsoft.com/tests/TeamsMeetingDelegation/input shows no problems until the last check: „a task was canceled“

Does anyone have a hint?

@bfrohnh were you able to get the calendar to work after you made these changes? We are running into a similar issues where the calendar will load for some and others it wont and they get this message when loading the calendar in the browser. 

Your calendar needs setting up

Ask your admin to connect your Exchange calendar to Teams.

It works for most users, but any new user and some random users get this error. We cannot figure out where the problem is. Have a support case open with MS for the last 2 months and they are no help at all.

Well, I've been trying to configure this feature for two days now. A nightmare. Everything is in this 30 page document with all the tests. The calendar in Teams appeared then suddenly not. Whaoou..... more than 12 hours troubleshooting in all directions with a MS support that does not give any news.

https://workingtogether.fun/2021/06/04/teams-calendar-and-exchange-on-premise-troubleshooting/

Yes we were able to get this working again after adding the regarding IPs and also allow connections from other countries (we blocked this in the Firewall)

in my labs everyone  in the world can access to my webservices. 

I am implementing an Exchange 2016 hybrid install / sync at this moment. Where I have paused is at the Minimal vs Full hybrid configuration selection. Our exchange is onprem. We are using Teams but currently don't have availability to access the calendar from Teams. That is a known issue and one that is solved by upgrading to a hybrid exchange install with our O365 environment. The owners do NOT want user mailboxes in the cloud. Not a problem. I read your article and noted that in order to allow calendars to work in Teams the only optionwas to perform the "Full Hybrid Configuration" and that a "Minimal Hybrid Configuration" does NOT have the features / functionality required for Teams to work properly.

Is that still the case?

We were able to resolve our issue, it was a problem on the Firewall. Once we fixed that, the calendar loaded for everyone again.

@Gregrwoodway - Full Hybrid is required to support Teams calendar access for on-prem mailbox. Full Hybrid creates the OAUTH partnerships required as a pre-req + the OAUTH parternship needed for the teams/skype middle-tier service. 

After writing the email above I got part way through the Hybrid Agent Setup. The Hybrid Agent installed & registered but I was unable to complete the install. I didn't have all the answers.

Now when I run the Hybrid Agent Setup I get an error on "Register Hybrid Agent"

If I review the logs I have the following error where there appears to be and internal error or duplicate. See error portion of my logs:

(I changed the domain to BlahBlah for security)

2021.06.24 20:23:50.185 10332 [Client=UX, fn=SendAsync, Thread=18] START PATCH https://graph.microsoft.com/edu/25e5a73f-8387-4c3f-a418-5e81ebb89b8c/applications/941fe306-841e-46e6... {"onPremisesPublishing":{"applicationServerTimeout":"Default","applicationType":"microsoftapp","externalAuthenticationType":"passthru","externalUrl":"https://941fe306-841e-46e6-ae92-c19d824dd36e.resource.mailboxmigration.his.msappproxy.net:443/","internalUrl":"https://mail.BlahBlah.com:443/","isOnPremPublishingEnabled":true,"isTranslateHostHeaderEnabled":false,"isTranslateLinksInBodyEnabled":false,"singleSignOnSettings":null,"verifiedCustomDomainCertificatesMetadata":null,"verifiedCustomDomainKeyCredential":null,"verifiedCustomDomainPasswordCredential":null}}
2021.06.24 20:23:50.679 10333 [Client=UX, fn=SendAsync, Thread=18] FINISH Time=494.1ms Results=BadRequest {"error":{"code":"InternalUrl_Duplicate","message":"Internal url 'https://mail.BlahBlah.com/' is invalid since it is already in use","innerError":{"date":"2021-06-24T20:23:50","request-id":"0c5dbade-4209-4951-a74b-ad55de6f2050","client-request-id":"0c5dbade-4209-4951-a74b-ad55de6f2050"}}}

C:\Windows\system32>Get-autodiscovervirtualdirectory -server ex-2016-vm | fl name, *url*

Name : Autodiscover (Default Web Site)
InternalUrl :
ExternalUrl : https://mail.BlahBlah.com/Autodiscover/Autodiscover.xml

This is how the external autodiscovery is set. Does there need to be an internal and that is why I'm failing?

On all other virtual directories there is an internal set to mail.blahblah.com

Before announcing features, it is necessary to verify that they work properly and especially to document them!

After spending more than 3 days troubleshooting the calendar problems I realized that the presence of an Exchange 2010 server was not desirable.
Microsoft teams would have more simply stipulated it in the prerequisites!
I was then able to make the calendarApp work for one user and no way to make it work for the other users!

https://workingtogether.fun/2021/06/04/teams-calendar-and-exchange-on-premise-troubleshooting/

I'm on my second open incident with the support, more than 5 days of troobleshooting and no progress. In the Teams client logs I have not found any relevant information.
Support doesn't know and escalates my ticket. Great function calendarApp!

Hello customer! The functionality that we promised you works .... from time to time. but we don't really know why! and Microsoft is looking for it... here we are after more than a week!

Regards

Hi @laurent Teruin 

These prerequisites are documented at Troubleshoot Microsoft Teams and Exchange Server interaction issues - Microsoft Teams | Microsoft Do... and How Exchange and Microsoft Teams interact - Microsoft Teams | Microsoft Docs. You may also use recently release 'Teams Presence Based on Calendar diagnostics' test available at Microsoft Remote Connectivity Analyzer that helps isolating root cause issue:

Best regards,
João

HI João 

Thanks for your reply, but I know these articles by heart. All requirements has been double checked during last week. Now we are in a dead end. let see what the Microsoft support will find.  Im curious really.

regards

Laurent 

@Gregrwoodway , a few things here:
1. For Teams calendar app in Hybrid, we recommend Classic Hybrid Config not Modern (Hybrid Agent)

2. The error in Hybrid Agent registration is when you have another Enterprise App or Hybrid App published with the same url. If we are talking about Hybrid Agent app, one way to fix this: if you have the previous HCW logs in user's %appdata%, there is a CC file, retrieve the previous ConnectorApplicationName from there and set it in the current CC file Connector Application Name (backup the file before doing it). More info on HCW logs here: https://techcommunity.microsoft.com/t5/exchange-team-blog/modern-hcw-hybrid-agent-troubleshooting-li... 

3. Usually you don't need to set anything in Internal/External URLs for Autodiscover Virtual Directory. It is all DNS queries, so as long as you have your public DNS records fine and Autod V2 redirecting properly, Teams should be OK with Exchange Autodiscover.

@Deleted - Part of the issue is MS has a number of anonymous calls built into EWS and Autodiscover to find the correct endpoint URL for a specific mailbox. When running mailbox migrations pre-auth will cause failed move events.

I have a number I have large enterprise customers who have been frustrated with this same issue (not supporting pre-auth) and we were able to get approval to publish by limiting inbound connections to Exchange & Teams IP blocks. 

With F5 ASM modules you also need to make sure you enable learning mode while starting to prep mailbox migrations as a number of move processes can be incorrectly blocked and labeled as SQL injections or 400/500 error responses.

Hello
Some may say I'm a bit stubborn, some may say I'm oblivious, but from now on I have to run #Teams Calendar Tab in a real production environment and not in a lab environment.  As I know it's going to be a long troubleshooting adventure (getting it to work in a lab environment cost me 5 weeks) I decided to do this as a mini-serie.
The first season episode 1 is here  : https://unifiedit.wordpress.com/2021/09/14/team-calendar-tab-episode-1/

regards

Laurent TERUIN

Why is it that MS made Teams so tedious to integrate with on-prem solutions, for calendar sharing?

As i read it, to make this integration work, i would need a O365 license per user. I'm a little confused here. What i make out of it is that i might as well ditch on-prem if i am going to pay for multiple 365 licenses, while i also pay for my on-prem license. Really looks like a money-grab to me.

I hope i have misunderstood how this whole thing is intended.

@boutzamat - My understanding of the license requirements is all users must be licensed for Teams and their identity needs to be synced via Azure AD Connect to O365 to support on prem integration. 

Microsoft does require an Exchange Online license where compliance/retention requirements come into play for Teams 1:1 Chat data as this is stored in an online mailbox created per user (commonly called a shadow mailbox). If you end up migrated on prem to O365 the contents of this shadow mailbox are merged into the inbound mailbox.  

All of my customers that are deploying Teams Calendar integration are on an E3/E5 license so there is no cost to enable these services or move mailboxes to O365, it's purely a business decision on where they want to host mail. I have only deployed calendar integration for on-prem Exchange as a coexistence/interop while migrating mailboxes to O365. 

Hello,

this is a great post and it helped me a lot with getting our Exchange on premise users' calendars into Teams. But I wonder what about room and other resources accounts. If I sync a resource AD accounts of a room to Azure AD, it gets synchronized correctly. But since it does not require a license for Exchange online (and the license for it is removed in O365 admin), the Exchange online still creates a mailbox for it. Eventhough the AD account has its MsExchMailboxGuid filled. And now two mailboxes exists in Exchange online and Exchange on premise. We would like the Teams to use the on premise calendar of the room but it keeps using the online one.

If I run

Invoke-RestMethod -Uri "https://outlook.office365.com/autodiscover/autodiscover.json?Email=email address removed for privacy reasons&Protocol=EWS&RedirectCount=5" -UserAgent Teams

it returns

https://outlook.office365.com/EWS/Exchange.asmx

Which is wrong because it should be our on premise URL.

Does anyone know how to solve this?

Regards

Petrolej

Hello @petrolej. 
I think there is something missing in your ADSync-Setup.  als OnPmreises UserMailbox, RoomMailbox, Ressourcemailbox should be a "MailUser" in Exchange Online and never have a mailbox. It can happen, if you do the provisioning wrong like: 
1. Create Useraddount
2. let ADSync replicate it

3. assing an Exchange Online Plan (get a Cloud mailbox)

4. Enable-Mailbox on the OnPrem Server. 
This results in duplicated accounts. but if you
1. Create a disabled User in the AD AND do an "Enable-Mailbox -room",  (or start with "new-Mailbox -room")

2. Let ADSync replicate

Then you should have a disabled AzureADUser with is an exchange online "Mailuser" with RecipietnType "Room"

So check, if your ADSync is really synchronizing all Exchange Properties.  Maybe you have to use the ADSync Setup Wizard and so an "update schema", if Exchange was installed after ADSync.  Or someone has enabled Filtering on Products in ADSync 

Frank, thank you so much for your reply.

You confirmed my suspicious that the cause is probably in the on premise Exchange. I was trying to enable the  room account with the command "Enable-Mailbox babeta -room" but that threw an error:

Enable-Mailbox : This task does not support recipients of this type. The specified recipient babeta is of type UserMailbox. Please make sure that this recipient matc
hes the required recipient type for this task.

Also I tried to enable it with command "Set-Mailbox babeta -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String 'pass' -AsPlainText -Force)" which resulted in an error:

Set-Mailbox : You don't have permission to directly change a mailbox account password without providing old password. Reset Password role is required for directly changing password.

But I do have the Reset Password role assigned to the use under which I run the command.

So, yes, I think this condition of the account is not OK:

Get-Mailbox babeta | fl IsMailboxEnabled,RoomMailboxAccountEnabled,AccountDisabled,ExchangeUserAccountControl,accountdisabled

IsMailboxEnabled : True
RoomMailboxAccountEnabled : False
AccountDisabled : True
ExchangeUserAccountControl : AccountDisabled
AccountDisabled : True

It shoudl be like this (a new account which I created directly with "-EnableRoomMailboxAccount $true"):

Get-Mailbox jawa | fl IsMailboxEnabled,RoomMailboxAccountEnabled,AccountDisabled,ExchangeUserAccountControl,accountdisabledIsMailboxEnabled : True
RoomMailboxAccountEnabled : True
AccountDisabled : False
ExchangeUserAccountControl : None
AccountDisabled : False

But I am not able to change the existing account.

Petr

@petrolej you are doing wrong steps.

Currently your mailbox is a user mailbox. You cant run "enable-mailbox" on exisiting mailbox. If you want to change this mailbox into room type, you need to use different cmdlet, described here: https://learn.microsoft.com/en-us/exchange/recipients/user-mailboxes/convert-mailboxes?view=exchserv...

parameter "roommaibloxaccountenabled" is only to enable such account in AD (as resource mailbox accounts are created disabled by default).

Hello,

but the account is of the type Room. Look this:

Get-Mailbox triumph | fl ResourceType,RecipientType,RecipientTypeDetails,IsResource

ResourceType : Room
RecipientType : UserMailbox
RecipientTypeDetails : RoomMailbox

IsResource : True

Best regards

Petr

@petrolej I think we cannot fix that current situation without finding the root cause. the normal process with Exchange Hybrid and Rooms is:
Create the Room on the OnPremises AD using one of the two options:

- Create OnPremRoom with "New-Mailbox -room" or enable an existing AD User with "enable-mailbox room"

OR

- Create OnlineRoom with "New-RemoteMailbox -room" or enable an existing AD User with "enable-Remotemailbox room"

And then let ADSync do its job. You should only grant an exchange online license if the room is an enabled Account.
If the Room wil be  a "teams Room System", then your should NOT use a E1/e3/e5 License, Use a Teams Room System Basic/Premium for the room

Maybe you migt start with a new room for testing and see, how it work.
Or you can "reset" the existing Room by exculde it from ADSync (by an existing filter),  purge the AzureAD Dumpster and resync it.

If that does not help, then you should look for a professional Service (mircrosoft or 3rd party) to assist you.

Hello,

I have finally made it working. I tried with a new room account and then to change it with "enable-mailbox room" but the same error happened. Then I found out somewhere that a command "Get-Mailbox room_alias | Set-Mailbox" could help and in deed, it helped. So something was not syncing somewhere (very vague specification, I know) and this command forced it. You can tell that this command did something when the output of the command is nothing. If you run it again it says "WARNING: The command completed successfully but no settings of 'account_name' have been modified." So obviously the previous run of the command did something. Sorry, I do not know what exactly.

After this I resynced the AzureAD and truly the online account was not enabled in Exchange online so when I logged with it into Teams it showed the on premise calendar of the room.

I do not know what is the exact cause but maybe it helps somebody.

Thank you for your help, it put me into the right direction.

Petr

Is there a way for Teams to use a different address for Autodiscover other than autodiscover.contoso.com, such as hybridmail.contoso.com? Alternatively, can Autodiscover be bypassed, and the EWS address provided directly to Teams?

In this specific case, the actual addresses autodiscover.contoso.com and mail.contoso.com should not be published, not even for EXO/Teams IP ranges. Only the hybrid server with hybridmail.contoso.com should be published.

@johndfe36540 you can try to use CNAME for autodiscover in the format of autodiscover.contoso.com CNAME to hybrid.contoso.com. Published service will be VIA 'hybrid' , and autodiscover service will point to that on DNS, if not via cname you can also try with SRV record to point to hybrid namespace as well

@BNalepa
In this case, unfortunately, not an option. There is already a public autodiscover.contoso.com DNS record, which must remain as it is. Even if I would enable this record for EXO/Teams IP ranges, it would point me to mail.contoso.com and not as desired to hybridmail.contoso.com.
I was looking for a way similar to Organization Relationship where I can manually adjust "TargetAutodiscoverEpr" and "TargetSharingEpr", but unfortunately for teams there doesn't seem to be a settings option for this.

We are having issues with our Oauth setup.

We don't use classic full hybrid yet but we want to enable calendar entergration from on-prem to Teams.

Multiple people and experienced people fromMS have not found the solution and premium support doesn't know the answer as well. This have been goin on for 3 months now and no one seems to know the issue and where to troubleshoot. Is it a f5 issue? exchange server issue? We have tried so many things but no luck.

autodiscover.xxx.com points to hybrid.xxxx.com externally. 

If we test from on-prem to outside it works. If we test from out to inside we cannot get a successful connection. 

In the curl tests we did it somehow returns our internal ip instead of the external ip/dns name like it should. 

We had 2 different occasions where it worked briefly and it returned the correct output but most of the times its broken. No one seems to know why and we are stuck in our migration.

Does someone know where the redirection comes from?  We have an external and internal F5/proxy.

Because when the redirection works the connection returns a success result.

This is the wrong output:

[xxx@xxxx:Active:In Sync] ~ # curl -vk https://10.52.144.30/owa/
* Trying 10.xx.xxx.xx...
* Connected to 10.xx.xxx.xx (10.xx.xxx.xx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=xx; ST=xxxxx; L='xxxxx; O=xxxxxx (xxx); CN=hybrid.xxx.nl
* start date: Oct 18 10:02:13 2023 GMT
* expire date: Oct 18 09:57:00 2024 GMT
* issuer: C=xx; O=xxx Trustlink B.V.; CN=xxx Europe SSL CA G2
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* TCP_NODELAY set
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0xed6280)
> GET /owa/ HTTP/1.1
> Host: 10.xx.xxx.xx
> User-Agent: curl/7.47.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2.0 302
< content-type:text/html; charset=utf-8
< location:https://10.xx.xxx.xx/owa/auth/logon.aspx?url=https%3a%2f%2f10.xx.xxx.xx%2fowa%2f&reason=0
< server:Microsoft-IIS/10.0
< request-id:dbd48089-6001-4bfe-9781-d006f18c2048
< x-owa-version:15.2.1258.27
< x-powered-by:ASP.NET
< x-feserver:SR13009
< date:Tue, 02 Jan 2024 14:45:43 GMT
< content-length:210
<
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="https://10.xx.xxx.xx/owa/auth/logon.aspx?url=https%3a%2f%2f10.xx.xxx.xx%2fowa%2f&amp;reason=0">here</a>.</h2>
</body></html>
* Connection #0 to host 10.xx.xxx.xx left intact

This is the correct output that worked briefly for one minute or so:

[xxxx@xxxx:Active:In Sync] / # curl --header 'Host: hybrid.xxx.nl' https://hybrid.xxx.nl/owa

<html><head><title>Object moved</title></head><body>

<h2>Object moved to <a href="https://hybrid.xxx.nl/owa/auth/logon.aspx?url=https%3a%2f%2fhybrid.xxx.nl%2fowa&amp;reason=0">here</a>.</h2>

</body></html>

This is the error message from the analyzer:

Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
Test Steps

The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.xxx.nl/Autodiscover/Autodiscover.xml for user email address removed for privacy reasons.
The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
Additional Details
Exception details:
Message: The underlying connection was closed: An unexpected error occurred on a receive.
Type: System.Net.WebException
Stack trace:
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.M365.RCA.Services.RcaHttpRequest.GetResponse()

Exception details:
Message: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
Type: System.IO.IOException
Stack trace:
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
at System.Net.Security._SslStream.StartFrameHeader(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security._SslStream.StartReading(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security._SslStream.ProcessRead(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.TlsStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.Connection.SyncRead(HttpWebRequest request, Boolean userRetrievedStream, Boolean probeRead)

Exception details:
Message: An existing connection was forcibly closed by the remote host
Type: System.Net.Sockets.SocketException
Stack trace:
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)

Attempting to contact the Autodiscover service using the DNS SRV redirect method.
The Microsoft Connectivity Analyzer failed to contact the Autodiscover service using the DNS SRV redirect method.
Test Steps

Attempting to locate SRV record _autodiscover._tcp.xxx.nl in DNS.
The Autodiscover SRV record wasn't found in DNS.
 Tell me more about this issue and how to resolve it
Additional Details
No DNS SRV records were found for _autodiscover._tcp.xxx.nl.