How to configure Hybrid mode for Exchange 2016 to have OAuth2 Client Credentials flow working with Microsoft Graph API

Question

I configured Hybrid mode on a customer's Exchange 2016. Now users' mailboxes are exposed on the Microsoft Graph API using the individual consent flow (authorization code Oauth2 flow).

Getting an admin consent with a client credentials flow seems to work : a token is retreived on the Microsoft endpoint, the payload is correct (right scopes), but it triggers an "unknown error" when using it to get a mailbox content through the Microsoft Graph API. The same token does work to get directory information (meaning the token is valid at some point).

Is Hybrid mode compatible with the Client Credentials flow ? Is there any parameters to configure in Exchange to enable this flow ?

Answer 1

I stumbled upon the same issue some time ago. Just let it slide, as I thought it was some wrong configuration on the Exchange side.

If you inspect both tokens you'll see that the sid is missing on the Client Credentials token, I think exchange needs some sort of on-premise user id inside the token to work. I'm not sure if this flow is supported since I cannot find anything about this topic on their documentation websites.

I just found a totally related question, check out https://stackoverflow.com/a/56108226/639153 for a complete answer.

The issue is actually somewhere else - Exchange doesn't seem to support client_credentials flow. You can, however force it via following PowerShell (make sure to restart your IIS after applying):

$apps = Get-PartnerApplication
# Microsoft Graph is 2nd item in the array, if you are unsure, list the items by calling $apps first
$apps[1] | Set-PartnerApplication -AppOnlyPermissions $apps[1].ActAsPermissions

The full explanation can be found here: https://blog.thenetw.org/2019/05/13/using-client_credentials-with-microsoft-graph-in-hybrid-exchange-setup/