2

In hybrid setup if client credentials grant type is used to get token and if that token is used to get on-prem user messages (https://graph.microsoft.com/v1.0/users('onpremuser@onpremdomain.com')/messages/) using graph api it fails by providing UnknownError.

When debugged on IIS logs error shown was "This token profile 'V1S2SAppOnly' is not applicable for the current protocol." error_category="invalid_token".

However if authorization code grant or resource owner password credential (ROPC) grant if used to obtain token , we were able to get messages of on prem user using graph API. Have attached screenshot of token for both. How to make client credentials grant work for on-prem user messages access using graph API (in hybrid setup) ?

Client credentials oath flow

ROPC oath flow

Update

Update i went and edited web.config of rest in Exchange server to have V1S2SAppOnly in profiles. After that previous error is gone and new error is seen.

Bearer+client_id="00000002-0000-0ff1-ce00-000000000000",+trusted_issuers="00000001-0000-0000-c000-000000000000@ea6064aa-d6fc-48d3-abb8-1728e1f39e0b",+token_types="app_asserted_user_v1+service_asserted_app_v1",+error="invalid_token" 2000008;reason="The+token+should+have+valid+permissions+or+linked+account+associated+with+partner+application+'00000003-0000-0000-c000-000000000000'.";error_category="invalid_grant"

Karthik Hebbar
  • 113
  • 8
  • Possible duplicate of [Exchange 2016 on-premise mailbox access using Graph API (Hybrid Setup)](https://stackoverflow.com/questions/54932152/exchange-2016-on-premise-mailbox-access-using-graph-api-hybrid-setup) – Jan Hajek May 13 '19 at 08:40

2 Answers2

1

I think the problem is with the aud claim, i.e. the audience for token.

For the first token that you have shared

  • aud value is 00000002-0000-0000-c000-000000000000. This is the resource Id for Azure AD Graph API and not Microsoft Graph API. For Microsoft Graph API, you should be using https://graph.microsoft.com or Id 00000003-0000-0000-c000-000000000000
  • this token is probably the one where you used client credentials grant, as there isn't any user claim

For the second token that you have shared

  • aud value is https://graph.microsoft.com which is correct
  • this token is acquired in context of a user name anoop so I guess this is the one which is working for you.
Rohit Saigal
  • 9,317
  • 2
  • 20
  • 32
  • Even with graph as aud fails with same error.{ "aud": "https://graph.microsoft.com/", "iss": "https://sts.windows.net/xxxxxx/", "iat": 1552573576, "nbf": 1552573576, "exp": 1552577476, "aio": "42JgYEjYOn3DtYdvWBUE7ks/nDt3LQA=", ... } – Karthik Hebbar Mar 14 '19 at 14:32
  • Also i started doubting if IIS is supporting claims without user as valid token all together . Because the error msg displayed is "This token profile 'V1S2SAppOnly' is not applicable for the current protocol." On other hand for token with user claims i can see "USER_SET AuthType="Bearer", UserName="S-1-5-21-1392771109-4043059535-3934338706-1147", SupportsIsInRole="true"" in IIS trace logging but fails at same point for client credentials token (which has no user claims) – Karthik Hebbar Mar 14 '19 at 14:41
  • @KarthikHebbar ok there may be more issues at play.. at least the `aud` needs to be correct first.. further.. Error message is such that token version could be an issue, but I see both your tokens are v1 so not fully making sense yet.. Can you please tell how you registered your application? regular `Azure AD portal`, `App Registrations preview experience` or `apps.dev.microsoft.com` .. also how are you acquiring the token.. using a library or direct REST API calls.. share some code details if possible – Rohit Saigal Mar 14 '19 at 14:46
  • I did app registration in Azure portal using App registration. I am doing direct REST api calls in postman currently (switched from code directly). Token URL - https://login.microsoftonline.com//oauth2/token, params - resource (https://graph.microsoft.com/) , client_id , client secret and grant_type as client_credentials. And calling api https://graph.microsoft.com/v1.0/users('unprem user')/messages/ with obtained token. Important observation is everything works perfectly for cloud users. Problem is with on prem users only. – Karthik Hebbar Mar 14 '19 at 14:51
  • REST api calls done from postman with mentioned parameters in previous comment. – Karthik Hebbar Mar 14 '19 at 14:58
  • @KarthikHebbar ok got it. – Rohit Saigal Mar 14 '19 at 15:08
0

What you want is:

Application with Client credentials => Graph API => Local Exchange.

This scenario isn't supported out-of-the-box, but you can however tell your local exchange server to accept those tokens. See this answer https://stackoverflow.com/a/56131954/639153

In a nutshell, you need to change the authentication config of your front-end exchange servers to accept client credentials from the graph api. By default only delegated credentials are supported, and these settings are not documented on the exchange side.

Warning, we tested these settings, and it's working but not supported by Microsoft

This is the blog where I've found the answer to your question. https://blog.thenetw.org/2019/05/13/using-client_credentials-with-microsoft-graph-in-hybrid-exchange-setup/

Stephan
  • 2,356
  • 16
  • 38