Client credentials token is not working for on-prem exchange server. RRS feed

  • Question

  • In hybrid setup if client credentials grant type is used to get token and if that token is used to get on-prem user messages (https://graph.microsoft.com/v1.0/users('onpremuser@onpremdomain.com')/messages/) using graph api it fails by providing UnknownError.

    When debugged on IIS logs error shown was "This token profile 'V1S2SAppOnly' is not applicable for the current protocol." error_category="invalid_token". To get rid of  'V1S2SAppOnly' error i went and added V1S2SAppOnly uner appsettings of web.config file present at C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rest\web.config

    <add key="OAuthHttpModule.Profiles" value="S2SAppActAs|S2SAppOnly|V1AppActAs|V1AppOnly|Callback|V1S2SActAs|V1S2SAppOnly|CallbackV2" />  

    After this the error was gone and now i am seeing new error like below in IIS log

    HeaderName="x-ms-diagnostics", HeaderValue="2000008;reason="The token should have valid permissions or linked account associated with partner application '00000003-0000-0000-c000-000000000000'.";error_category="invalid_grant"", Replace="false". But however decoded token (jwt.io) has roles.

      "aud": "https://graph.microsoft.com/",
      "iss": "https://sts.windows.net/ea6064aa-d6fc-48d3-abb8-1728e1f39e0b/",
      "iat": 1552900163,
      "nbf": 1552900163,
      "exp": 1552904063,
      "aio": "42JgYHhwRC7Jf9HECQFuBmlfT+t0AgA=",
      "app_displayname": "newtestapp",
      "appid": "fb461318-f95f-474f-9451-ad6b9952a5fe",
      "appidacr": "2",
      "idp": "https://sts.windows.net/ea6064aa-d6fc-48d3-abb8-1728e1f39e0b/",
      "oid": "301eb6c0-478a-407c-9493-7fa40c4cf9bc",
      "roles": [
      "sub": "301eb6c0-478a-407c-9493-7fa40c4cf9bc",
      "tid": "ea6064aa-d6fc-48d3-abb8-1728e1f39e0b",
      "uti": "XLiJVT7T8Eir7FsLkkvWAA",
      "ver": "1.0",
      "xms_tcdt": 1550570031

    Observations :

    1. Everything works perfectly for cloud users
    2. If ROPC or Authorization code auth flow is used i am able to retrieve that user's mail.

    How to make Graph API calls (/messages) work for on prem with client credentials Oauth flow ?

    Monday, March 18, 2019 1:06 PM

All replies