Microsoft Teams and on-premises mailboxes: Part 1 – How do Teams and Exchange Server interact?

Published 03-23-2021 08:00 AM 1,758 Views

The calendar application is an essential component of Microsoft Teams. This application's task is to display your calendar from the personal mailbox. You access the calendar app directly from the app bar within your Teams client. The following screenshot shows the Microsoft Teams web client as an example.

Calendar.png

 

Microsoft Teams contacts the Teams Backend Services in Microsoft 365 to get calendar information from the Teams Backend Services to display the users' calendar. The Backend Services get the required information from the Exchange mailbox. This access is not a problem for mailboxes hosted in Exchange Online, as Microsoft 365 provides the required access paths and permissions for your tenant.


Your on-premises Exchange Organization must meet specific requirements to provide access for Microsoft Teams. These technical prerequisites bring additional complexity into daily operation, which has its troubleshooting challenges. As an IT administrator, you need to know the individual components involved and their interaction to handle problems efficiently.


In this first article, I focus on the technical components and the requirements to make local Exchange mailboxes accessible for Microsoft Teams. The following two blog posts show you your options and tools for troubleshooting connectivity issues to on-premises mailboxes.

 

Microsoft Teams (Backend) Services
In contrast to other software clients that access an Exchange mailbox, calendar access in Microsoft Teams is not done by the Teams client itself, but rather by the so-called Teams Middle-Tier, which is part of a set of Teams Backend Services, independently of the client. Client access to other Microsoft 365 services, such as SharePoint Online or OneNote, is done directly.
The following diagram shows how Teams clients access the Teams Backend Services.

backend services.png

 

We only focus on the two components highlighted with a red rectangle, the Teams Services and Exchange. The connection between Teams Backend Services and Exchange is drawn as a simple line in the diagram, but it is precisely this connection that needs your attention to make Microsoft Teams work with on-premises mailboxes.

 

Calendar Access Overview
When a user accesses the calendar app in a Microsoft Teams client, the client queries the calendar information from the Teams Backend Services. The request uses the user's login name (e.g., John-Doe@varunagroup.de), which is supposed to be the primary email address.
Let us assume the user uses John.Doe@varunagroup.de as a login when starting the Teams client.


In the first step, after receiving the calendar request from the Teams client, the Teams Backend Services perform an AutoDiscover V2 query on Exchange Online (1). The Teams Backend Services always query outlook.office365.com first because the services assume that Exchange Online has the necessary information for calendar access to John Doe's mailbox.

Exchange.png

 

In this example, the mailbox is in an on-premises Exchange organization, Exchange Online replies with an HTTP 302 redirect response. As a result, the Teams Backend Services need to determine the local Exchange organizations endpoints using AutoDiscover V2 independently. The services use the domain part of John Doe's email address for the request, which is varunagroup.de.


In step (2), the Teams Backend Services tries to determine the default AutoDiscover endpoint using the DNS name provided in the HTTPT 302 response. After successful DNS resolution, the services establish an anonymous AutoDiscover V2 connection using HTTPS. Exchange Server responds to this request with the local Exchange organization's URL information configured as ExternalUrl attributes for the virtual Exchange Server directories.


Authenticated access to the Exchange mailbox only takes place in step (3). The AutoDiscover V2 requests use anonymous requests for performance reasons. Teams Backend Services uses OAuth-Authentication when accessing the Exchange Web Services' endpoint and reading calendar information. The Backend Services services then prepare the calendar information and respond to the Teams client request.


After receiving the Teams Backend Services response, the Teams client displays the calendar app icon for John Doe.


The requirements for this process to function correctly are:

  • Correctly configured Azure AD Connect with Exchange Hybrid option enabled
  • Synchronization of all on-premises mailbox users to Azure AD
  • Exchange Organization published to the internet
  • Exchange Server 2019 or 2016 running the latest cumulative updates
  • Exchange namespace correctly configured in the external DNS zone
  • Configured AutoDiscover endpoints for all primary email domains in the external DNS zones, accepting non-authenticated requests
  • Configuration of Exchange Classic Full Hybrid Mode using Hybrid Configuration Wizard

With a hybrid Exchange configuration that meets these requirements, the use of on-premises mailboxes with Microsoft Teams works.


Exchange Server is a very tolerant server application that you can operate in very different configurations. Individual deviations from the preferred architecture of Exchange Server and a hybrid configuration with Microsoft 365 lead to possible errors when using Microsoft Teams with on-premises user mailboxes.


I highly recommend reading the Microsoft Docs article Troubleshoot Microsoft Teams and Exchange Server interaction issues, when encountering problems with your on-premises mailboxes and Microsoft Teams.


In the next two blog posts, I will take a closer look at calendar access and calendar delegate situations and the possible sources of errors and options for error analysis.

 

Links


Thomas Stensitzki is a leading technology consultant focusing on Microsoft messaging and collaboration technologies and the owner of Granikos GmbH & Co. KG. He is an MVP for Office Apps & Services and an MCT Regional Lead. As a user group organizer, he hosts the Microsoft Teams User Group Berlin and the Exchange User Group DACH.


Twitter: https://twitter.com/stensitzki
Blog: https://JustCantGetEnough.Granikos.eu
Teams User Group: https://TeamsUserGroup.berlin
Exchange User Group: https://exusg.de

 

To write your own blog on a topic of interest as a guest blogger in the Microsoft Teams Community, please submit your idea here: https://aka.ms/TeamsCommunityBlogger

1 Comment
Occasional Contributor

Thanks for the insights.

Is there a difference in "connection flow" when trying to set up a meeting on behalf of as a delegate?

%3CLINGO-SUB%20id%3D%22lingo-sub-2229851%22%20slang%3D%22en-US%22%3EMicrosoft%20Teams%20and%20on-premises%20mailboxes%3A%20Part%201%20%E2%80%93%20How%20do%20Teams%20and%20Exchange%20Server%20interact%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2229851%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20calendar%20application%20is%20an%20essential%20component%20of%20Microsoft%20Teams.%20This%20application's%20task%20is%20to%20display%20your%20calendar%20from%20the%20personal%20mailbox.%20You%20access%20the%20calendar%20app%20directly%20from%20the%20app%20bar%20within%20your%20Teams%20client.%20The%20following%20screenshot%20shows%20the%20Microsoft%20Teams%20web%20client%20as%20an%20example.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Calendar.png%22%20style%3D%22width%3A%20605px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F266303i3EDDAB1D6838EB10%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Calendar.png%22%20alt%3D%22Calendar.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMicrosoft%20Teams%20contacts%20the%20Teams%20Backend%20Services%20in%20Microsoft%20365%20to%20get%20calendar%20information%20from%20the%20Teams%20Backend%20Services%20to%20display%20the%20users'%20calendar.%20The%20Backend%20Services%20get%20the%20required%20information%20from%20the%20Exchange%20mailbox.%20This%20access%20is%20not%20a%20problem%20for%20mailboxes%20hosted%20in%20Exchange%20Online%2C%20as%20Microsoft%20365%20provides%20the%20required%20access%20paths%20and%20permissions%20for%20your%20tenant.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EYour%20on-premises%20Exchange%20Organization%20must%20meet%20specific%20requirements%20to%20provide%20access%20for%20Microsoft%20Teams.%20These%20technical%20prerequisites%20bring%20additional%20complexity%20into%20daily%20operation%2C%20which%20has%20its%20troubleshooting%20challenges.%20As%20an%20IT%20administrator%2C%20you%20need%20to%20know%20the%20individual%20components%20involved%20and%20their%20interaction%20to%20handle%20problems%20efficiently.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EIn%20this%20first%20article%2C%20I%20focus%20on%20the%20technical%20components%20and%20the%20requirements%20to%20make%20local%20Exchange%20mailboxes%20accessible%20for%20Microsoft%20Teams.%20The%20following%20two%20blog%20posts%20show%20you%20your%20options%20and%20tools%20for%20troubleshooting%20connectivity%20issues%20to%20on-premises%20mailboxes.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%3E%3CSTRONG%3EMicrosoft%20Teams%20(Backend)%20Services%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3EIn%20contrast%20to%20other%20software%20clients%20that%20access%20an%20Exchange%20mailbox%2C%20calendar%20access%20in%20Microsoft%20Teams%20is%20not%20done%20by%20the%20Teams%20client%20itself%2C%20but%20rather%20by%20the%20so-called%20Teams%20Middle-Tier%2C%20which%20is%20part%20of%20a%20set%20of%20Teams%20Backend%20Services%2C%20independently%20of%20the%20client.%20Client%20access%20to%20other%20Microsoft%20365%20services%2C%20such%20as%20SharePoint%20Online%20or%20OneNote%2C%20is%20done%20directly.%3CBR%20%2F%3EThe%20following%20diagram%20shows%20how%20Teams%20clients%20access%20the%20Teams%20Backend%20Services.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22backend%20services.png%22%20style%3D%22width%3A%20605px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F266305iE8CE53F264AD3056%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22backend%20services.png%22%20alt%3D%22backend%20services.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20only%20focus%20on%20the%20two%20components%20highlighted%20with%20a%20red%20rectangle%2C%20the%20Teams%20Services%20and%20Exchange.%20The%20connection%20between%20Teams%20Backend%20Services%20and%20Exchange%20is%20drawn%20as%20a%20simple%20line%20in%20the%20diagram%2C%20but%20it%20is%20precisely%20this%20connection%20that%20needs%20your%20attention%20to%20make%20Microsoft%20Teams%20work%20with%20on-premises%20mailboxes.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%3E%3CSTRONG%3ECalendar%20Access%20Overview%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3EWhen%20a%20user%20accesses%20the%20calendar%20app%20in%20a%20Microsoft%20Teams%20client%2C%20the%20client%20queries%20the%20calendar%20information%20from%20the%20Teams%20Backend%20Services.%20The%20request%20uses%20the%20user's%20login%20name%20(e.g.%2C%20John-Doe%40varunagroup.de)%2C%20which%20is%20supposed%20to%20be%20the%20primary%20email%20address.%20%3CBR%20%2F%3ELet%20us%20assume%20the%20user%20uses%20John.Doe%40varunagroup.de%20as%20a%20login%20when%20starting%20the%20Teams%20client.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EIn%20the%20first%20step%2C%20after%20receiving%20the%20calendar%20request%20from%20the%20Teams%20client%2C%20the%20Teams%20Backend%20Services%20perform%20an%20AutoDiscover%20V2%20query%20on%20Exchange%20Online%20(1).%20The%20Teams%20Backend%20Services%20always%20query%20outlook.office365.com%20first%20because%20the%20services%20assume%20that%20Exchange%20Online%20has%20the%20necessary%20information%20for%20calendar%20access%20to%20John%20Doe's%20mailbox.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Exchange.png%22%20style%3D%22width%3A%20605px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F266306i680A5FAD845B3059%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Exchange.png%22%20alt%3D%22Exchange.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20this%20example%2C%20the%20mailbox%20is%20in%20an%20on-premises%20Exchange%20organization%2C%20Exchange%20Online%20replies%20with%20an%20HTTP%20302%20redirect%20response.%20As%20a%20result%2C%20the%20Teams%20Backend%20Services%20need%20to%20determine%20the%20local%20Exchange%20organizations%20endpoints%20using%20AutoDiscover%20V2%20independently.%20The%20services%20use%20the%20domain%20part%20of%20John%20Doe's%20email%20address%20for%20the%20request%2C%20which%20is%20varunagroup.de.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EIn%20step%20(2)%2C%20the%20Teams%20Backend%20Services%20tries%20to%20determine%20the%20default%20AutoDiscover%20endpoint%20using%20the%20DNS%20name%20provided%20in%20the%20HTTPT%20302%20response.%20After%20successful%20DNS%20resolution%2C%20the%20services%20establish%20an%20anonymous%20AutoDiscover%20V2%20connection%20using%20HTTPS.%20Exchange%20Server%20responds%20to%20this%20request%20with%20the%20local%20Exchange%20organization's%20URL%20information%20configured%20as%20ExternalUrl%20attributes%20for%20the%20virtual%20Exchange%20Server%20directories.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EAuthenticated%20access%20to%20the%20Exchange%20mailbox%20only%20takes%20place%20in%20step%20(3).%20The%20AutoDiscover%20V2%20requests%20use%20anonymous%20requests%20for%20performance%20reasons.%20Teams%20Backend%20Services%20uses%20OAuth-Authentication%20when%20accessing%20the%20Exchange%20Web%20Services'%20endpoint%20and%20reading%20calendar%20information.%20The%20Backend%20Services%20services%20then%20prepare%20the%20calendar%20information%20and%20respond%20to%20the%20Teams%20client%20request.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EAfter%20receiving%20the%20Teams%20Backend%20Services%20response%2C%20the%20Teams%20client%20displays%20the%20calendar%20app%20icon%20for%20John%20Doe.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EThe%20requirements%20for%20this%20process%20to%20function%20correctly%20are%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ECorrectly%20configured%20Azure%20AD%20Connect%20with%20Exchange%20Hybrid%20option%20enabled%3C%2FLI%3E%0A%3CLI%3ESynchronization%20of%20all%20on-premises%20mailbox%20users%20to%20Azure%20AD%3C%2FLI%3E%0A%3CLI%3EExchange%20Organization%20published%20to%20the%20internet%3C%2FLI%3E%0A%3CLI%3EExchange%20Server%202019%20or%202016%20running%20the%20latest%20cumulative%20updates%3C%2FLI%3E%0A%3CLI%3EExchange%20namespace%20correctly%20configured%20in%20the%20external%20DNS%20zone%3C%2FLI%3E%0A%3CLI%3EConfigured%20AutoDiscover%20endpoints%20for%20all%20primary%20email%20domains%20in%20the%20external%20DNS%20zones%2C%20accepting%20non-authenticated%20requests%3C%2FLI%3E%0A%3CLI%3EConfiguration%20of%20Exchange%20Classic%20Full%20Hybrid%20Mode%20using%20Hybrid%20Configuration%20Wizard%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EWith%20a%20hybrid%20Exchange%20configuration%20that%20meets%20these%20requirements%2C%20the%20use%20of%20on-premises%20mailboxes%20with%20Microsoft%20Teams%20works.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EExchange%20Server%20is%20a%20very%20tolerant%20server%20application%20that%20you%20can%20operate%20in%20very%20different%20configurations.%20Individual%20deviations%20from%20the%20preferred%20architecture%20of%20Exchange%20Server%20and%20a%20hybrid%20configuration%20with%20Microsoft%20365%20lead%20to%20possible%20errors%20when%20using%20Microsoft%20Teams%20with%20on-premises%20user%20mailboxes.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EI%20highly%20recommend%20reading%20the%20Microsoft%20Docs%20article%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Ftroubleshoot%2Fknown-issues%2Fteams-exchange-interaction-issue%3FWT.mc_id%3DTM-MVP-5003086%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ETroubleshoot%20Microsoft%20Teams%20and%20Exchange%20Server%20interaction%20issues%3C%2FA%3E%2C%20when%20encountering%20problems%20with%20your%20on-premises%20mailboxes%20and%20Microsoft%20Teams.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EIn%20the%20next%20two%20blog%20posts%2C%20I%20will%20take%20a%20closer%20look%20at%20calendar%20access%20and%20calendar%20delegate%20situations%20and%20the%20possible%20sources%20of%20errors%20and%20options%20for%20error%20analysis.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ELinks%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fexchange-teams-interact%3FWT.mc_id%3DM365-MVP-5003086%23requirements-to-create-and-view-meetings-for-mailboxes-hosted-on-premises%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ERequirements%20to%20create%20and%20view%20meetings%20for%20mailboxes%20hosted%20on-premises%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CBR%20%2F%3EThomas%20Stensitzki%20is%20a%20leading%20technology%20consultant%20focusing%20on%20Microsoft%20messaging%20and%20collaboration%20technologies%20and%20the%20owner%20of%20Granikos%20GmbH%20%26amp%3B%20Co.%20KG.%20He%20is%20an%20MVP%20for%20Office%20Apps%20%26amp%3B%20Services%20and%20an%20MCT%20Regional%20Lead.%20As%20a%20user%20group%20organizer%2C%20he%20hosts%20the%20Microsoft%20Teams%20User%20Group%20Berlin%20and%20the%20Exchange%20User%20Group%20DACH.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3ETwitter%3A%20%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2Fstensitzki%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Ftwitter.com%2Fstensitzki%3C%2FA%3E%3CBR%20%2F%3EBlog%3A%20%3CA%20href%3D%22https%3A%2F%2Fjustcantgetenough.granikos.eu%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2FJustCantGetEnough.Granikos.eu%3C%2FA%3E%20%3CBR%20%2F%3ETeams%20User%20Group%3A%20%3CA%20href%3D%22https%3A%2F%2Fteamsusergroup.berlin%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2FTeamsUserGroup.berlin%3C%2FA%3E%20%3CBR%20%2F%3EExchange%20User%20Group%3A%20%3CA%20href%3D%22https%3A%2F%2Fexusg.de%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fexusg.de%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20write%20your%20own%20blog%20on%20a%20topic%20of%20interest%20as%20a%20guest%20blogger%20in%20the%20Microsoft%20Teams%20Community%2C%20please%20submit%20your%20idea%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FTeamsCommunityBlogger%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FTeamsCommunityBlogger%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2229851%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20this%20first%20article%2C%20I%20focus%20on%20the%20technical%20components%20and%20the%20requirements%20to%20make%20local%20Exchange%20mailboxes%20accessible%20for%20Microsoft%20Teams.%20The%20following%20two%20blog%20posts%20show%20you%20your%20options%20and%20tools%20for%20troubleshooting%20connectivity%20issues%20to%20on-premises%20mailboxes.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2263986%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Teams%20and%20on-premises%20mailboxes%3A%20Part%201%20%E2%80%93%20How%20do%20Teams%20and%20Exchange%20Server%20interact%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2263986%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20insights.%3C%2FP%3E%3CP%3EIs%20there%20a%20difference%20in%20%22connection%20flow%22%20when%20trying%20to%20set%20up%20a%20meeting%20on%20behalf%20of%20as%20a%20delegate%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Mar 23 2021 07:55 AM
Updated by: