none
Azure Active Directory (SSO) connection with ADFS 3.0 and Office 365 (Exchange Online)

    Question

  • Technologies Used:

    • Azure Active Directory

              - Using Azure AD Connect

    • Office 365 (specifically Exchange Online Plan 3)

              - Using EWS (Exchange Web Services) API

    • ADFS 3.0 for SSO
    • On-Premise Windows Server 2008 R2

    Background Information:

    Our .Net application uses EWS API for Exchange Online to publish information (appointments) to end user's calendars. We use outlook.office365.com ... as the connection URL. We use the credentials of a Global Administrator account for authentication.

    Issue:

    After implementing ADFS 3.0 with Azure Active Directory (uses Azure AD Connection for a one way sync), our application now returns a '503 Error: Service Not Found' when attempting to initiate a connection to the EWS service URL.

    -----

    Any recommendations on how to approach the issue or possible resolutions?

    Thank you.

    Monday, May 01, 2017 6:59 PM

All replies

  • Do you have Modern authentication enabled? Without it, every connection to Exchange Online is proxied by the server, thus is considered External to your network and you need to adjust your configuration accordingly (WAP servers, firewalls, claims rules, etc).

    What happens if you simply try to open the EWS URL via browser and enter credentials?

    Monday, May 01, 2017 7:24 PM
  • Oh also, do you have Azure MFA enabled for this account? If so, you need to use app password instead.
    Monday, May 01, 2017 7:25 PM
  • Thanks Vasil!

    1. I'll check with our developer on the Modern authentication.

    2. WAP is not being used. Firewall rules are configured properly.

    3. I don't see any claims rules specifically for EWS.

    Monday, May 01, 2017 7:35 PM
  • Vasil, that's a negative.

    Monday, May 01, 2017 7:35 PM
  • Well, if you are not using WAPs are you exposing the AD FS server directly to the internet? As mentioned above, without Modern auth every request for ExO in such scenarios will be proxied by the server, so it's considered external.

    Did you test the URL directly via the browser?

    Tuesday, May 02, 2017 8:44 AM