Configure OAuth authentication between Exchange on-premises and Exchange Online organizations

To configure OAuth authentication between your on-premises Exchange and Exchange Online organizations, follow below steps:

  1. Create an authorization server object for your Exchange Online organization using Exchange PowerShell to run this command “New-AuthServer -Name “WindowsAzureACS” -AuthMetadataUrl https://accounts.accesscontrol.windows.net/<your verified domain>/metadata/json/1” e.g.: on my lab, verified domain: lab16204.o365ready.com.110
  2. Enable the partner application for your Exchange Online organization using Exchange PowerShell to run this command “Get-PartnerApplication | ?{$_.ApplicationIdentifier -eq “00000002-0000-0ff1-ce00-000000000000” -and $_.Realm -eq “”} | Set-PartnerApplication -Enabled $true155
  3. Export the on-premises authorization certificate
    • In this step, you have to run a PowerShell script to export the on-premises authorization certificate, which is then imported to your Exchange Online organization in the next step.
    • Save the following text to a PowerShell script file named, for example, ExportAuthCert.ps1
      $thumbprint = (Get-AuthConfig).CurrentCertificateThumbprintif((test-path $env:SYSTEMDRIVE\OAuthConfig) -eq $false)
      {
         md $env:SYSTEMDRIVE\OAuthConfig
      }
      cd $env:SYSTEMDRIVE\OAuthConfig
      $oAuthCert = (dir Cert:\LocalMachine\My) | where {$_.Thumbprint -match $thumbprint}
      $certType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Cert
      $certBytes = $oAuthCert.Export($certType)
      $CertFile = “$env:SYSTEMDRIVE\OAuthConfig\OAuthCert.cer”
      [System.IO.File]::WriteAllBytes($CertFile, $certBytes)
    • In Exchange PowerShell in your on-premises Exchange organization, run the PowerShell script that you created in the previous step. For example .\ExportAuthCert.ps1109
  4. Upload the on-premises authorization certificate to Azure Active Directory ACS·
    • Click the Azure Active Directory Module for Windows PowerShell shortcut to open a Windows PowerShell workspace that has the Azure AD cmdlets installed. All commands in this step will be run using the Windows PowerShell for Azure Active Directory console.
    • Save the following text to a PowerShell script file named, for example, UploadAuthCert.ps1
      Connect-MsolService;Import-Module msonlineextended;$CertFile = “$env:SYSTEMDRIVE\OAuthConfig\OAuthCert.cer”$objFSO = New-Object -ComObject Scripting.FileSystemObject;$CertFile = $objFSO.GetAbsolutePathName($CertFile);
      $cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate
      $cer.Import($CertFile);
      $binCert = $cer.GetRawCertData();
      $credValue = [System.Convert]::ToBase64String($binCert);
      $ServiceName = “00000002-0000-0ff1-ce00-000000000000”;
      $p = Get-MsolServicePrincipal -ServicePrincipalName $ServiceName
      New-MsolServicePrincipalCredential -AppPrincipalId $p.AppPrincipalId -Type asymmetric -Usage Verify -Value $credValue
    • Run the PowerShell script that you created in the previous step. For example: .\UploadAuthCert.ps1119
  5. Register all hostname authorities for your external on-premises Exchange HTTP endpoints with Azure Active Directory·
    • If you are not sure of the external Exchange endpoints in your on-premises Exchange organization, you can get a list of the external configured Web services endpoints by running the following command in Exchange PowerShell in your on-premises Exchange organization:
      Get-WebServicesVirtualDirectory | FL ExternalUrl121
    • Save the following text to a PowerShell script file named, for example, RegisterEndpoints.ps1. This example uses a wildcard to register all endpoints for domain.com. {$externalAuthority=”*.domain.com”} Replace domain.com with a hostname authority for your on-premises Exchange organization. if you use third party certificate, you use it {$externalAuthority=”mail.domain.com”}. Our PowerShell Script will be as following:
      $externalAuthority=”mail.lab16204.o365ready.com”
      $ServiceName = “00000002-0000-0ff1-ce00-000000000000”;
      $p = Get-MsolServicePrincipal -ServicePrincipalName $ServiceName;
      $spn = [string]::Format(“{0}/{1}”, $ServiceName, $externalAuthority);
      $p.ServicePrincipalNames.Add($spn);
      Set-MsolServicePrincipal -ObjectID $p.ObjectId –ServicePrincipalNames $p.ServicePrincipalNames;
    • In Windows PowerShell for Azure Active Directory, run the Windows PowerShell script that you created in the previous step. For example: .\RegisterEndpoints.ps1123
  6. You can use the Get-IntraOrganizationConfiguration cmdlet in both your on-premises and Office 365 tenants to determine the endpoint values needed by New-IntraOrganizationConnector cmdlet.If you didn’t find value then you need to Create an IntraOrganizationConnector from your on-premises organization to Office 365 using Exchange PowerShell yo run this command
    New-IntraOrganizationConnector -name ExchangeHybridOnPremisesToOnline –DiscoveryEndpoint https://outlook.office365.com/autodiscover/autodiscover.svc -TargetAddressDomains <your service target address> e.g.: on my lab, target address: FTLab443432.mail.onmicrosoft.com.124
  7. Create an IntraOrganizationConnector from your Office 365 tenant to your on-premises Exchange organization. Using Windows PowerShell, run the following cmdlet:
    $UserCredential = Get-Credential
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

    Import-PSSession $Session
    New-IntraOrganizationConnector -name ExchangeHybridOnlineToOnPremises -DiscoveryEndpoint <your on-premises Autodiscover endpoint> -TargetAddressDomains <your on-premises SMTP domain> e.g.: on-premises Autodiscover: mail.lab16204.o365ready.com, on-premises SMTP domain: lab16204.o365ready.com130
  8.  Configure an AvailabilityAddressSpace for any pre-Exchange 2013 SP1 servers, use Exchange PowerShell and run the following cmdlet in your on-premises organization:
    Add-AvailabilityAddressSpace -AccessMethod InternalProxy -ProxyUrl <your on-premises External Web Services URL> -ForestName <your Office 365 service target address> -UseServiceAccount $True” e.g.:on-premises External Web Services URL: https://lab103ex.contoso.com/EWS/Exchange.asmx, Office 365 service target address: FTLab443432.mail.onmicrosoft.com159
  9. To verify that your on-premises Exchange organization can successfully connect to Exchange Online, run the following command in Exchange PowerShell in your on-premises organization:
    Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox <On-Premises Mailbox> -Verbose | fl” e.g.: On-Premises Mailbox: alans@lab16204.o365ready.com157
  10. To verify that your Exchange Online organization can successfully connect to your on-premises Exchange organization, use the Remote PowerShell to connect to your Exchange Online organization and run the following command:
    Test-OAuthConnectivity -Service EWS -TargetUri <external hostname authority of your Exchange On-Premises deployment>/metadata/json/1 -Mailbox <Exchange Online Mailbox> -Verbose | fl” e.g.: External hostname authority of your Exchange On-Premises deployment:https://mail.lab16204.o365ready.com, Exchange Online Mailbox: amya@lab16204.o365ready.com160
Advertisements
This entry was posted in Office 365. Bookmark the permalink.

One Response to Configure OAuth authentication between Exchange on-premises and Exchange Online organizations

  1. Pingback: Configure Tab on hybrid configuration wizard of Office 365 is failed | Mai Ali's Technical Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s