Azure client credentials grant oath not working in hybrid setup for Graph Mail API access

1
votes

In hybrid setup if client credentials grant type is used to get token and if that token is used to get on-prem user messages (https://graph.microsoft.com/v1.0/users('[email protected]')/messages/) using graph api it fails by providing UnknownError.

When debugged on IIS logs error shown was "This token profile 'V1S2SAppOnly' is not applicable for the current protocol." error_category="invalid_token".

However if authorization code grant or resource owner password credential (ROPC) grant if used to obtain token , we were able to get messages of on prem user using graph API. Have attached screenshot of token for both. How to make client credentials grant work for on-prem user messages access using graph API (in hybrid setup) ?

Client credentials oath flow

ROPC oath flow

Update

Update i went and edited web.config of rest in Exchange server to have V1S2SAppOnly in profiles. After that previous error is gone and new error is seen.

Bearer+client_id="00000002-0000-0ff1-ce00-000000000000",+trusted_issuers="00000001-0000-0000-c000-000000000000@ea6064aa-d6fc-48d3-abb8-1728e1f39e0b",+token_types="app_asserted_user_v1+service_asserted_app_v1",+error="invalid_token" 2000008;reason="The+token+should+have+valid+permissions+or+linked+account+associated+with+partner+application+'00000003-0000-0000-c000-000000000000'.";error_category="invalid_grant"

2
azure-active-directorymicrosoft-graph-api
Possible duplicate of Exchange 2016 on-premise mailbox access using Graph API (Hybrid Setup)Jan Hajek

2 Answers

1
votes

I think the problem is with the aud claim, i.e. the audience for token.

For the first token that you have shared

  • aud value is 00000002-0000-0000-c000-000000000000. This is the resource Id for Azure AD Graph API and not Microsoft Graph API. For Microsoft Graph API, you should be using https://graph.microsoft.com or Id 00000003-0000-0000-c000-000000000000
  • this token is probably the one where you used client credentials grant, as there isn't any user claim

For the second token that you have shared

  • aud value is https://graph.microsoft.com which is correct
  • this token is acquired in context of a user name anoop so I guess this is the one which is working for you.
0
votes

What you want is:

Application with Client credentials => Graph API => Local Exchange.

This scenario isn't supported out-of-the-box, but you can however tell your local exchange server to accept those tokens. See this answer https://stackoverflow.com/a/56131954/639153

In a nutshell, you need to change the authentication config of your front-end exchange servers to accept client credentials from the graph api. By default only delegated credentials are supported, and these settings are not documented on the exchange side.

Warning, we tested these settings, and it's working but not supported by Microsoft

This is the blog where I've found the answer to your question. https://blog.thenetw.org/2019/05/13/using-client_credentials-with-microsoft-graph-in-hybrid-exchange-setup/