Dynamics Community Forum Thread Details

We are trying to configure Dynamics 365 on prem V9.1 to exchange online.

We have followed the instruction on the Microsoft page and used the script referenced on github.

The app is registred in entra ID, the certificate is deployed with the script and the same certificate is used for sharepoint on premise.

When we test the connectvity we have a error 401 returned by Exchange.

WWW-Authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000@*", token_types="app_asserted_user_v1 service_asserted_app_v1", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", error="invalid_token",Basi...}

Analysing the traffic a token generated by ACS is sent to Exchange, but exchange doesn't support this token

You can see the payload of the token generated.

It means the script we are using configure CRM to use ACS but ACS is deprecated. Is it The Dynamics 365 Hybrid connector that allow these type of token to be used?

Behind the scene CRM use PartnerApplication and AuthorizationServer entity to support this connectivity. AuthorizationServer type supports ACS and EvoSTS but the setup create the AuthorizationServer Configured with ACS.

But ACS is deprecated!

The Hybrid connector is a requirement and it is installed.

We are completly blocked by this situation, and we are searching supported solution making this integration possible,

Does someone in the forum meet this issue and found a solution?

Categories:

Dynamics 365 general

Hello AP-19041205-0,

You've done excellent analysis in identifying that the token being generated is an ACS token, and you're correct that Exchange Online no longer supports ACS for this type of integration. This confirms the core issue we discussed earlier.

Your understanding is accurate:

The script you used likely configures Dynamics 365 v9.1 to use ACS. This was the older method for server-to-server authentication.

Exchange Online now requires OAuth 2.0 tokens (EvoSTS). The WWW-Authenticate: Bearer header clearly indicates this.

The Hybrid Connector is a requirement for this type of integration, but it doesn't magically translate ACS tokens to OAuth 2.0. Its role is more about facilitating the connection and managing certain aspects of the hybrid environment.

The Solution: Explicitly Configure Dynamics 365 v9.1 for OAuth 2.0 (Hybrid Modern Authentication)

As highlighted in the previous response, you need to explicitly configure Dynamics 365 v9.1 to use Hybrid Modern Authentication (OAuth 2.0) for its connection to Exchange Online. The script you used seems to be setting up the older ACS-based authentication.

Here's a recap of the necessary steps, emphasizing the changes needed from the ACS setup:

Azure AD Application Registration (for OAuth): You need an Azure AD application registration specifically for the OAuth 2.0 connection. This is likely a different registration than the one you used for the certificate-based authentication for the Hybrid Connector itself.
- Ensure the API permissions granted to this application include the necessary Microsoft Graph permissions for Mail and Calendar access (Mail.Send, Mail.ReadWrite, Calendars.ReadWrite, User.Read).
- Grant admin consent for these permissions.

Configure Dynamics 365 v9.1 Email Server Profile for OAuth: You need to use PowerShell commands to update the EmailServerProfile record to explicitly specify OAuth as the authentication type and provide the details of the OAuth Azure AD application you created in step 1.
# Get the ID of your Exchange Online (Hybrid) Email Server Profile
$emailServerProfile = Get-CrmRecord -conn $serverConfig -EntityName emailserverprofile -WhereAttribute "name" -WhereOperator Equal -WhereValue "Your Exchange Online (Hybrid) Profile Name"

if ($emailServerProfile) {
# Set the Authentication Type to OAuth (Value: 0)
Set-CrmRecord -conn $serverConfig -EntityName emailserverprofile -Id $emailServerProfile.emailserverprofileid -AttributeList @{"authenticationtype" = 0}

# Set the OAuth AppId (Client ID of the OAuth Azure AD Application)
Set-CrmRecord -conn $serverConfig -EntityName emailserverprofile -Id $emailServerProfile.emailserverprofileid -AttributeList @{"oauthclientid" = "YOUR_OAUTH_AZURE_AD_APP_CLIENT_ID"}

# Set the OAuth Token Endpoint
Set-CrmRecord -conn $serverConfig -EntityName emailserverprofile -Id $emailServerProfile.emailserverprofileid -AttributeList @{"oauthtokenendpoint" = "https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/token"}

# Set the OAuth Authorization Endpoint
Set-CrmRecord -conn $serverConfig -EntityName emailserverprofile -Id $emailServerProfile.emailserverprofileid -AttributeList @{"oauthauthorizationendpoint" = "https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/authorize"}

Write-Host "Email Server Profile updated for OAuth."
} else {
Write-Error "Email Server Profile 'Your Exchange Online (Hybrid) Profile Name' not found."
}

Crucially, ensure you are using the Client ID of the Azure AD application you registered specifically for OAuth in these commands, not the one used for the certificate.

Verify Hybrid Modern Authentication in Exchange Online: Double-check that Hybrid Modern Authentication is enabled in your Exchange Online tenant using the PowerShell command:
Get-OrganizationConfig | Format-List OAuth2ClientProfileEnabled

It should be True.

Restart CRM Services (Potentially): After making these configuration changes, you might need to restart the Dynamics 365 Asynchronous Processing Service and the CRMAppPool in IIS on your Dynamics 365 server for the changes to take effect.

Why the Script Configured ACS:

The script you used might be older or intended for a different scenario where ACS was still relevant, or it might be focused on the certificate-based authentication aspect of the Hybrid Connector itself, not the authentication against Exchange Web Services (EWS).

The Role of the Hybrid Connector:

The Dynamics 365 Hybrid Connector establishes a secure communication channel between your on-premises environment and Azure. It's a prerequisite for features like Server-Side Synchronization in a hybrid scenario. However, it doesn't dictate the authentication protocol used for specific services like Exchange Online. That's configured separately within Dynamics 365 (the EmailServerProfile).

Blocked Situation and Supported Solution:

You are absolutely right to be blocked, as ACS will not work with modern Exchange Online. The supported solution is to explicitly configure Dynamics 365 v9.1 to use OAuth 2.0 for its connection to Exchange Online, as outlined above.

Actionable Steps:

Create a new Azure AD Application Registration specifically for OAuth 2.0.

Grant the necessary Microsoft Graph API permissions to this new application.

Use the PowerShell commands provided to update your Dynamics 365 v9.1 Email Server Profile with the Client ID of this new OAuth application and set the AuthenticationType to 0 (OAuth).

Verify Hybrid Modern Authentication is enabled in Exchange Online.

Restart CRM services (if necessary).

Test the connectivity again.

By following these steps, you should be able to move away from the deprecated ACS authentication and establish a successful connection using modern OAuth 2.0. Good luck!

If my answer was helpful, please click Like, and if it solved your problem, please mark it as verified to help other community members find more. If you have further questions, please feel free to contact me.

My response was crafted with AI assistance and tailored to provide detailed and actionable guidance for your Microsoft Dynamics 365 query.

Regards,

Daivat Vartak