I wrote an application that can talk with Exchange Online accounts, I'm currently trying to test to see the steps required to work with internal accounts running in Hybrid.
I have:
- Windows Server 2012 R2
- Exchange 2016 CU8 (with launch
/PrepareAD ) - Internet-
/api/v2.0 paths to /api/v2.0 and /autodiscover/autodiscover.json - Run the HCW program
- AD Connect works
- Active Directory syncs with Azure Active Directory
- Permissions look good in the application that I registered (read calendar events / read and write calendar events)
Unfortunately, I get 404 when I try to access calendar events:
curl -v -H 'Content-Type: application/json' -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFCSGg0a21TX2FLVDVYcmp6eFJBdEh6RE1mbEZNYTYwaktGRHRhUXp0ZGVkM2V6Z0ZfUzlLMjdDRmQxSHlfZGdRcnR6WlJBczRDV095R3E1Vl9OZW9MSFNKTGpzblNCSDNCQU9oQnBzU18wVmlBQSIsImFsZyI6IlJTMjU2IiwieDV0IjoiU1NRZGhJMWNLdmhRRURTSnhFMmdHWXM0MFEwIiwia2lkIjoiU1NRZGhJMWNLdmhRRURTSnhFMmdHWXM0MFEwIn0..AWt_ANsH8sk15WeH1AgD6SD0Ki8VILMvzkbSMju_YFGKc5cVkrGp7Skzt64uDM8rI6Py5Y-1c3srXwON2oSihkRskfz5vG4nIlbFnuYd3Ij2Vz1ktpNnCeMAnAK2T8ifk2visRSvchRbuBNZZyamwRjActdDF9BS8NygUgmmygK4mPjOIab17PJPz5PisvRbCA2jBLWLvbu9RYrLH-xGuoLd2PLTbsn2WSVi3er4XztZCcK7XfVWe-0wjrV6qBufd5z0hH_KpQLdzPtLOzSUGUAcXGa0mBPceTWULQvQ-LPcAJO57F0ir5k22fWzlkOfUxQb9eGWREUm1cAPWk3CPw" "https://graph.microsoft.com/v1.0/users/ oq@healthcentrified.co.uk /calendar/events" * Trying 137.116.241.64... * Connected to graph.microsoft.com (137.116.241.64) port 443 (#0) * found 148 certificates in /etc/ssl/certs/ca-certificates.crt * found 592 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_256_CBC_SHA384 * server certificate verification OK * server certificate status verification SKIPPED * common name: graph.microsoft.com (matched) * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: C=US,ST=WA,L=Redmond,O=Microsoft Corporation,OU=Microsoft Corporation,CN=graph.microsoft.com * start date: Wed, 03 Jan 2018 17:32:18 GMT * expire date: Fri, 03 Jan 2020 17:32:18 GMT * issuer: C=US,ST=Washington,L=Redmond,O=Microsoft Corporation,OU=Microsoft IT,CN=Microsoft IT TLS CA 4 * compression: NULL * ALPN, server did not agree to a protocol > GET /v1.0/users/ oq@healthcentrified.co.uk /calendar/events HTTP/1.1 > Host: graph.microsoft.com > User-Agent: curl/7.47.0 > Accept: */* > Content-Type: application/json > Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFCSGg0a21TX2FLVDVYcmp6eFJBdEh6RE1mbEZNYTYwaktGRHRhUXp0ZGVkM2V6Z0ZfUzlLMjdDRmQxSHlfZGdRcnR6WlJBczRDV095R3E1Vl9OZW9MSFNKTGpzblNCSDNCQU9oQnBzU18wVmlBQSIsImFsZyI6IlJTMjU2IiwieDV0IjoiU1NRZGhJMWNLdmhRRURTSnhFMmdHWXM0MFEwIiwia2lkIjoiU1NRZGhJMWNLdmhRRURTSnhFMmdHWXM0MFEwIn0..AWt_ANsH8sk15WeH1AgD6SD0Ki8VILMvzkbSMju_YFGKc5cVkrGp7Skzt64uDM8rI6Py5Y-1c3srXwON2oSihkRskfz5vG4nIlbFnuYd3Ij2Vz1ktpNnCeMAnAK2T8ifk2visRSvchRbuBNZZyamwRjActdDF9BS8NygUgmmygK4mPjOIab17PJPz5PisvRbCA2jBLWLvbu9RYrLH-xGuoLd2PLTbsn2WSVi3er4XztZCcK7XfVWe-0wjrV6qBufd5z0hH_KpQLdzPtLOzSUGUAcXGa0mBPceTWULQvQ-LPcAJO57F0ir5k22fWzlkOfUxQb9eGWREUm1cAPWk3CPw > < HTTP/1.1 404 Not Found < Cache-Control: private < Transfer-Encoding: chunked < Content-Type: text/plain < request-id: f499015e-325b-45e8-9716-0a8a7160b82d < client-request-id: f499015e-325b-45e8-9716-0a8a7160b82d < x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"North Europe","Slice":"SliceA","Ring":"3","ScaleUnit":"003","Host":"AGSFE_IN_0","ADSiteName":"DUB"}} < Duration: 1764.3754 < Date: Sun, 18 Feb 2018 19:18:28 GMT < * Connection #0 to host graph.microsoft.com left intact application / json' -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFCSGg0a21TX2FLVDVYcmp6eFJBdEh6RE1mbEZNYTYwaktGRHRhUXp0ZGVkM2V6Z0ZfUzlLMjdDRmQxSHlfZGdRcnR6WlJBczRDV095R3E1Vl9OZW9MSFNKTGpzblNCSDNCQU9oQnBzU18wVmlBQSIsImFsZyI6IlJTMjU2IiwieDV0IjoiU1NRZGhJMWNLdmhRRURTSnhFMmdHWXM0MFEwIiwia2lkIjoiU1NRZGhJMWNLdmhRRURTSnhFMmdHWXM0MFEwIn0..AWt_ANsH8sk15WeH1AgD6SD0Ki8VILMvzkbSMju_YFGKc5cVkrGp7Skzt64uDM8rI6Py5Y-1c3srXwON2oSihkRskfz5vG4nIlbFnuYd3Ij2Vz1ktpNnCeMAnAK2T8ifk2visRSvchRbuBNZZyamwRjActdDF9BS8NygUgmmygK4mPjOIab17PJPz5PisvRbCA2jBLWLvbu9RYrLH-xGuoLd2PLTbsn2WSVi3er4XztZCcK7XfVWe-0wjrV6qBufd5z0hH_KpQLdzPtLOzSUGUAcXGa0mBPceTWULQvQ-LPcAJO57F0ir5k22fWzlkOfUxQb9eGWREUm1cAPWk3CPw" "https://graph.microsoft.com/v1.0/users/ curl -v -H 'Content-Type: application/json' -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFCSGg0a21TX2FLVDVYcmp6eFJBdEh6RE1mbEZNYTYwaktGRHRhUXp0ZGVkM2V6Z0ZfUzlLMjdDRmQxSHlfZGdRcnR6WlJBczRDV095R3E1Vl9OZW9MSFNKTGpzblNCSDNCQU9oQnBzU18wVmlBQSIsImFsZyI6IlJTMjU2IiwieDV0IjoiU1NRZGhJMWNLdmhRRURTSnhFMmdHWXM0MFEwIiwia2lkIjoiU1NRZGhJMWNLdmhRRURTSnhFMmdHWXM0MFEwIn0..AWt_ANsH8sk15WeH1AgD6SD0Ki8VILMvzkbSMju_YFGKc5cVkrGp7Skzt64uDM8rI6Py5Y-1c3srXwON2oSihkRskfz5vG4nIlbFnuYd3Ij2Vz1ktpNnCeMAnAK2T8ifk2visRSvchRbuBNZZyamwRjActdDF9BS8NygUgmmygK4mPjOIab17PJPz5PisvRbCA2jBLWLvbu9RYrLH-xGuoLd2PLTbsn2WSVi3er4XztZCcK7XfVWe-0wjrV6qBufd5z0hH_KpQLdzPtLOzSUGUAcXGa0mBPceTWULQvQ-LPcAJO57F0ir5k22fWzlkOfUxQb9eGWREUm1cAPWk3CPw" "https://graph.microsoft.com/v1.0/users/ oq@healthcentrified.co.uk /calendar/events" * Trying 137.116.241.64... * Connected to graph.microsoft.com (137.116.241.64) port 443 (#0) * found 148 certificates in /etc/ssl/certs/ca-certificates.crt * found 592 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_256_CBC_SHA384 * server certificate verification OK * server certificate status verification SKIPPED * common name: graph.microsoft.com (matched) * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: C=US,ST=WA,L=Redmond,O=Microsoft Corporation,OU=Microsoft Corporation,CN=graph.microsoft.com * start date: Wed, 03 Jan 2018 17:32:18 GMT * expire date: Fri, 03 Jan 2020 17:32:18 GMT * issuer: C=US,ST=Washington,L=Redmond,O=Microsoft Corporation,OU=Microsoft IT,CN=Microsoft IT TLS CA 4 * compression: NULL * ALPN, server did not agree to a protocol > GET /v1.0/users/ oq@healthcentrified.co.uk /calendar/events HTTP/1.1 > Host: graph.microsoft.com > User-Agent: curl/7.47.0 > Accept: */* > Content-Type: application/json > Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFCSGg0a21TX2FLVDVYcmp6eFJBdEh6RE1mbEZNYTYwaktGRHRhUXp0ZGVkM2V6Z0ZfUzlLMjdDRmQxSHlfZGdRcnR6WlJBczRDV095R3E1Vl9OZW9MSFNKTGpzblNCSDNCQU9oQnBzU18wVmlBQSIsImFsZyI6IlJTMjU2IiwieDV0IjoiU1NRZGhJMWNLdmhRRURTSnhFMmdHWXM0MFEwIiwia2lkIjoiU1NRZGhJMWNLdmhRRURTSnhFMmdHWXM0MFEwIn0..AWt_ANsH8sk15WeH1AgD6SD0Ki8VILMvzkbSMju_YFGKc5cVkrGp7Skzt64uDM8rI6Py5Y-1c3srXwON2oSihkRskfz5vG4nIlbFnuYd3Ij2Vz1ktpNnCeMAnAK2T8ifk2visRSvchRbuBNZZyamwRjActdDF9BS8NygUgmmygK4mPjOIab17PJPz5PisvRbCA2jBLWLvbu9RYrLH-xGuoLd2PLTbsn2WSVi3er4XztZCcK7XfVWe-0wjrV6qBufd5z0hH_KpQLdzPtLOzSUGUAcXGa0mBPceTWULQvQ-LPcAJO57F0ir5k22fWzlkOfUxQb9eGWREUm1cAPWk3CPw > < HTTP/1.1 404 Not Found < Cache-Control: private < Transfer-Encoding: chunked < Content-Type: text/plain < request-id: f499015e-325b-45e8-9716-0a8a7160b82d < client-request-id: f499015e-325b-45e8-9716-0a8a7160b82d < x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"North Europe","Slice":"SliceA","Ring":"3","ScaleUnit":"003","Host":"AGSFE_IN_0","ADSiteName":"DUB"}} < Duration: 1764.3754 < Date: Sun, 18 Feb 2018 19:18:28 GMT < * Connection #0 to host graph.microsoft.com left intact xGuoLd2PLTbsn2WSVi3er4XztZCcK7XfVWe-0wjrV6qBufd5z0hH_KpQLdzPtLOzSUGUAcXGa0mBPceTWULQvQ-LPcAJO57F0ir5k22fWzlkOfUxQb9eGWREUm1cAPWk3CPw curl -v -H 'Content-Type: application/json' -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFCSGg0a21TX2FLVDVYcmp6eFJBdEh6RE1mbEZNYTYwaktGRHRhUXp0ZGVkM2V6Z0ZfUzlLMjdDRmQxSHlfZGdRcnR6WlJBczRDV095R3E1Vl9OZW9MSFNKTGpzblNCSDNCQU9oQnBzU18wVmlBQSIsImFsZyI6IlJTMjU2IiwieDV0IjoiU1NRZGhJMWNLdmhRRURTSnhFMmdHWXM0MFEwIiwia2lkIjoiU1NRZGhJMWNLdmhRRURTSnhFMmdHWXM0MFEwIn0..AWt_ANsH8sk15WeH1AgD6SD0Ki8VILMvzkbSMju_YFGKc5cVkrGp7Skzt64uDM8rI6Py5Y-1c3srXwON2oSihkRskfz5vG4nIlbFnuYd3Ij2Vz1ktpNnCeMAnAK2T8ifk2visRSvchRbuBNZZyamwRjActdDF9BS8NygUgmmygK4mPjOIab17PJPz5PisvRbCA2jBLWLvbu9RYrLH-xGuoLd2PLTbsn2WSVi3er4XztZCcK7XfVWe-0wjrV6qBufd5z0hH_KpQLdzPtLOzSUGUAcXGa0mBPceTWULQvQ-LPcAJO57F0ir5k22fWzlkOfUxQb9eGWREUm1cAPWk3CPw" "https://graph.microsoft.com/v1.0/users/ oq@healthcentrified.co.uk /calendar/events" * Trying 137.116.241.64... * Connected to graph.microsoft.com (137.116.241.64) port 443 (#0) * found 148 certificates in /etc/ssl/certs/ca-certificates.crt * found 592 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_256_CBC_SHA384 * server certificate verification OK * server certificate status verification SKIPPED * common name: graph.microsoft.com (matched) * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: C=US,ST=WA,L=Redmond,O=Microsoft Corporation,OU=Microsoft Corporation,CN=graph.microsoft.com * start date: Wed, 03 Jan 2018 17:32:18 GMT * expire date: Fri, 03 Jan 2020 17:32:18 GMT * issuer: C=US,ST=Washington,L=Redmond,O=Microsoft Corporation,OU=Microsoft IT,CN=Microsoft IT TLS CA 4 * compression: NULL * ALPN, server did not agree to a protocol > GET /v1.0/users/ oq@healthcentrified.co.uk /calendar/events HTTP/1.1 > Host: graph.microsoft.com > User-Agent: curl/7.47.0 > Accept: */* > Content-Type: application/json > Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFCSGg0a21TX2FLVDVYcmp6eFJBdEh6RE1mbEZNYTYwaktGRHRhUXp0ZGVkM2V6Z0ZfUzlLMjdDRmQxSHlfZGdRcnR6WlJBczRDV095R3E1Vl9OZW9MSFNKTGpzblNCSDNCQU9oQnBzU18wVmlBQSIsImFsZyI6IlJTMjU2IiwieDV0IjoiU1NRZGhJMWNLdmhRRURTSnhFMmdHWXM0MFEwIiwia2lkIjoiU1NRZGhJMWNLdmhRRURTSnhFMmdHWXM0MFEwIn0..AWt_ANsH8sk15WeH1AgD6SD0Ki8VILMvzkbSMju_YFGKc5cVkrGp7Skzt64uDM8rI6Py5Y-1c3srXwON2oSihkRskfz5vG4nIlbFnuYd3Ij2Vz1ktpNnCeMAnAK2T8ifk2visRSvchRbuBNZZyamwRjActdDF9BS8NygUgmmygK4mPjOIab17PJPz5PisvRbCA2jBLWLvbu9RYrLH-xGuoLd2PLTbsn2WSVi3er4XztZCcK7XfVWe-0wjrV6qBufd5z0hH_KpQLdzPtLOzSUGUAcXGa0mBPceTWULQvQ-LPcAJO57F0ir5k22fWzlkOfUxQb9eGWREUm1cAPWk3CPw > < HTTP/1.1 404 Not Found < Cache-Control: private < Transfer-Encoding: chunked < Content-Type: text/plain < request-id: f499015e-325b-45e8-9716-0a8a7160b82d < client-request-id: f499015e-325b-45e8-9716-0a8a7160b82d < x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"North Europe","Slice":"SliceA","Ring":"3","ScaleUnit":"003","Host":"AGSFE_IN_0","ADSiteName":"DUB"}} < Duration: 1764.3754 < Date: Sun, 18 Feb 2018 19:18:28 GMT < * Connection #0 to host graph.microsoft.com left intact
If I make a similar request in the mailbox that was ported to Exchange Online, this works (I get HTTP 200 and the list of events in JSON)
Office 365 support does not know what to do here (this is probably beyond their scope).
Documentation says it is in preview but should work
Microsoft Graph has always provided access to client mailboxes in the cloud in Exchange Online as part of Office 365. The cumulative Exchange 2016 3 (CU3) update, released in September 2016 for on-premises Exchange servers, adds support for REST API integration with Office 365. If your application uses the v1.0 API of mail, calendar or contacts, now you will also find seamless authentication and application experience in hybrid deployments, regardless of whether the mailbox is local or cloud, provided that the deployment meets specific requirements.
Behind the scenes, when Microsoft Graph determines that a REST API call is trying to access an internal mailbox in a hybrid deployment, it proxies a REST request to a local REST which then processes the request. This discovery makes access to the REST API.
I declare that I have very limited experience with Windows, and this is my first foray into using Windows servers for anything, but the lack of documentation for this scenario, as this is probably what many large corporate organizations will want to do.
Is there something clearly wrong?
Update
Rasmus asked if I have any requests to my web server, and while I see a lot of traffic on /rpc , I get nothing by pressing autodiscover.json , and the only requests to /API are
2018-02-25 18:58:24 ::1 GET /api/v1.0/users/ HealthMailboxda9cb9ff7af047cf9878a9b7be391e14@healthcentrified.c o.uk/Messages $top=1 &request_id=4f17c7a2-f753-46f7-853d-36f7a5281932 444 - ::1 Odata_AM_Probe/Local - 401 0 0 0
And others to this mailbox from this user-agent