none
Azure Active Directory (SSO) connection with ADFS 3.0 and Office 365 (Exchange Online)

    Question

  • Technologies Used:

    • Azure Active Directory

              - Using Azure AD Connect

    • Office 365 (specifically Exchange Online Plan 3)

              - Using EWS (Exchange Web Services) API

    • ADFS 3.0 for SSO
    • On-Premise Windows Server 2008 R2

    Background Information:

    Our .Net application uses EWS API for Exchange Online to publish information (appointments) to end user's calendars. We use outlook.office365.com ... as the connection URL. We use the credentials of a Global Administrator account for authentication.

    Issue:

    After implementing ADFS 3.0 with Azure Active Directory (uses Azure AD Connection for a one way sync), our application now returns a '503 Error: Service Not Found' when attempting to initiate a connection to the EWS service URL.

    -----

    Any recommendations on how to approach the issue or possible resolutions?

    Thank you.

    Monday, May 1, 2017 6:59 PM

All replies

  • Do you have Modern authentication enabled? Without it, every connection to Exchange Online is proxied by the server, thus is considered External to your network and you need to adjust your configuration accordingly (WAP servers, firewalls, claims rules, etc).

    What happens if you simply try to open the EWS URL via browser and enter credentials?

    Monday, May 1, 2017 7:24 PM
  • Oh also, do you have Azure MFA enabled for this account? If so, you need to use app password instead.
    Monday, May 1, 2017 7:25 PM
  • Thanks Vasil!

    1. I'll check with our developer on the Modern authentication.

    2. WAP is not being used. Firewall rules are configured properly.

    3. I don't see any claims rules specifically for EWS.

    Monday, May 1, 2017 7:35 PM
  • Vasil, that's a negative.

    Monday, May 1, 2017 7:35 PM
  • Well, if you are not using WAPs are you exposing the AD FS server directly to the internet? As mentioned above, without Modern auth every request for ExO in such scenarios will be proxied by the server, so it's considered external.

    Did you test the URL directly via the browser?

    Tuesday, May 2, 2017 8:44 AM