Manual OAuth Configuration for Microsoft Teams in a Hybrid Scenario

5 / 5 ( 1 vote )

There are times when your organization (or a customer’s organization) just can’t run the Exchange Hybrid Configuration Wizard.  If you’re embarking on one of our strategies to take advantage of Microsoft Teams while your mailboxes are still on-premises, the Exchange Hybrid configuration is the go-to way to get there, since it sets all this stuff up automatically.  It’s important, because that’s what really enables the cross-premises free/busy.

So, what do you do if you can’t do hybrid?  I had this exact experience with a customer last year during the height of the pandemic, so here’s what I learned:

You copy and paste a lot of scripts.

As we point out in our documentation, in order for Microsoft Teams to work with on-premises mailboxes, you must configure OAuth authentication between the Microsoft 365 platform and the on-premises Exchange environment. This is automatically done when you run the Hybrid Configuration Wizard


In the event that you can’t run the HCW, you can manually configure the OAuth settings. Before you begin, you’ll need a few pieces of information and prerequisites met:

  • A verified domain in your Microsoft 365 tenant (such as
  • The value for your coexistence domain, in the form of <tenant> For example,
  • Access to a machine with the Azure AD PowerShell cmdlets. They can be installed using Install-Module MSonline from an elevated PowerShell console session.
  • Your external Autodiscover service endpoint. It’s most likely similar to The endpoint value itself would be the domain portion, such as
  • List of publicly available endpoints for your Exchange organization (such as Autodiscover and OWA). You can return a list of external endpoints by running the following commands:
Get-MapiVirtualDirectory | FL server, ExternalUrl

Get-WebServicesVirtualDirectory | FL server, ExternalUrl

Get-OABVirtualDirectory | FL server, ExternalUrl

Once you have gathered, the required information, you can follow these steps to complete the configuration.

  1. Launch an Exchange Management Shell instance in your on-premises Exchange organization, preferably on the server where you’re going to run the HCW.
  2. In this step, you will create the authorization objects for Exchange Online. Copy and paste the following commands, replacing <your tenant coexistence domain> with the correct value from the prerequisites section above.
New-AuthServer -Name "WindowsAzureACS" -AuthMetadataUrl "<your tenant coexistence domain>/metadata/json/1"

New-AuthServer -Name "evoSTS" -Type AzureAD -AuthMetadataUrl<your tenant coexistence domain>/federationmetadata/2007-06/federationmetadata.xml
  1. Next, you will need to enable the Exchange Online partner application.
Get-PartnerApplication |  ?{$_.ApplicationIdentifier -eq "00000002-0000-0ff1-ce00-000000000000" -and $_.Realm -eq ""} | Set-PartnerApplication -Enabled $true
  1. After the partner application has been enabled, copy and paste the following script to export the on-premises authorization certificate.  The output should end up as C:\OAuthCOnfig\OAuthCert.cer, assuming your SYSTEMDRIVE is C:\.
$thumbprint = (Get-AuthConfig).CurrentCertificateThumbprint
if((test-path $env:SYSTEMDRIVE\OAuthConfig) -eq $false)
   md $env:SYSTEMDRIVE\OAuthConfig
cd $env:SYSTEMDRIVE\OAuthConfig
$oAuthCert = (dir Cert:\LocalMachine\My) | where {$_.Thumbprint -match $thumbprint}
$certType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Cert
$certBytes = $oAuthCert.Export($certType)
$CertFile = "$env:SYSTEMDRIVE\OAuthConfig\OAuthCert.cer"
[System.IO.File]::WriteAllBytes($CertFile, $certBytes)
  1. Copy the exported certificate (.cer file) to the computer that has the Azure AD module installed (or install the module on the Exchange server where you exported the certificate).
  2. Launch a PowerShell console and change directory to the location where you saved the OauthCert.cer file (again, it should be stored in SYSTEMDRIVE:\OauthConfig if you just installed the Azure AD module on your Exchange server).
  3. Copy and paste the following script into the PowerShell console session. When prompted, provide a global admin credential for your tenant.

$CertFile = (pwd).Path+”\OAuthConfig\OAuthCert.cer"
$objFSO = New-Object -ComObject Scripting.FileSystemObject
$CertFile = $objFSO.GetAbsolutePathName($CertFile)
$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate
$binCert = $cer.GetRawCertData()
$credValue = [System.Convert]::ToBase64String($binCert)
$ServiceName = "00000002-0000-0ff1-ce00-000000000000"
$p = Get-MsolServicePrincipal -ServicePrincipalName $ServiceName

New-MsolServicePrincipalCredential -AppPrincipalId $p.AppPrincipalId -Type asymmetric -Usage Verify -Value $credValue
  1. Using the external endpoints gathered in the prerequisite section, add them to the following script, replacing the  <ExternalUrl#> value. You can add as many entries as you have endpoints.
$ServiceName = "00000002-0000-0ff1-ce00-000000000000";
$x = Get-MsolServicePrincipal -AppPrincipalId $ServiceName;
Set-MSOLServicePrincipal -AppPrincipalId $ServiceName -ServicePrincipalNames $x.ServicePrincipalNames
  1. Next, you’ll need to go back to the Exchange Management Shell session you had already opened on-premises and run the following commands to create an IntraOrganizationConnector from your Exchange organization to Office 365:
$ServiceDomain = Get-AcceptedDomain | where {$_.DomainName -like "*"} | select -ExpandProperty Name

New-IntraOrganizationConnector -name ExchangeHybridOnPremisesToOnline -DiscoveryEndpoint -TargetAddressDomains $ServiceDomain

If $ServiceDomain is empty in your environment because you haven’t begun preparing for an Exchange hybrid deployment, you can set $ServiceDomain equal to your tenant mail routing domain, such as, such as in the following example:

$ServiceDomain = ""
  1. The final step is to configure an IntraOrganizationConnector from Office 365 to your on-premises organization. You’ll need the Autodiscover endpoint you identified in the prerequisites section as well your primary SMTP domain namespace (such as com).  Once you have that, edit the following script with your values and then paste it into a PowerShell console session:
$Credential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $Credential -Authentication Basic -AllowRedirection

Import-PSSession $Session

New-IntraOrganizationConnector -name ExchangeHybridOnlineToOnPremises -DiscoveryEndpoint <your on-premises Autodiscover endpoint> -TargetAddressDomains <your on-premises SMTP domain>

After these steps have been completed, you can verify that your OAuth connectivity works from Office 365 to your on-premises organization.  To do this, you’ll need:

  • A cloud-based mailbox
  • An on-premises endpoint that is exposed to the internet

You can test by connecting to Exchange Online PowerShell and running the following command:

Test-OAuthConnectivity -Service EWS -TargetUri https://<on-premises endpoint>/metadata/json/1 -Mailbox <cloud mailbox> | Select ResultType,Identity

Remember, the value for <on-premises endpoint> will be whatever the domain name is for your external autodiscover.

Wrapping up

Remember, any users that you the calendar icon to show up in Teams for must have an Exchange Online license enabled.  Once you’ve got working OAuth, your cloud Teams users should be able to do Free/Busy checks against their on-premises mailboxes and even schedule meetings.

Happy Teaming!

Post Script

A small portion of this is excerpted from my upcoming book, Expert Solutions for Microsoft Teams. 🙂

Published by Aaron Guilmette

Helping companies conquer inferior technology since 1997. I spend my time developing and implementing technology solutions so people can spend less time with technology. Specialties: Active Directory and Exchange consulting and deployment, Virtualization, Disaster Recovery, Office 365, datacenter migration/consolidation, cheese. View all posts by Aaron Guilmette

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Exit mobile version