You've pinpointed the core of the problem: Dynamics 365 v9.1 on-premises is attempting to use an ACS token for authentication against Exchange Online, which now expects OAuth 2.0 tokens. The WWW-Authenticate: Bearer header in the EWS response clearly indicates that it's expecting a modern authentication (OAuth 2.0) bearer token, not the older ACS (Access Control Service) token.
Why is this happening and how to resolve it?
The documentation you followed might be outdated or not specific enough for the current authentication requirements of Exchange Online. Modern Authentication (OAuth 2.0) is the standard and recommended authentication method for connecting to Exchange Online, and ACS has been deprecated.
Here's a breakdown of why you're seeing this and the steps you need to take:
The Issue: Outdated Authentication Flow
Dynamics 365 v9.1 on-premises, by default, might be configured to use an older authentication flow that relies on ACS when integrating with Exchange Online. However, Exchange Online has moved towards modern authentication for enhanced security. This mismatch in expected token types is causing the 401 "invalid_token" error.
Solution: Configure Dynamics 365 v9.1 for Hybrid Modern Authentication with Exchange Online
You need to explicitly configure your Dynamics 365 v9.1 on-premises environment to use Hybrid Modern Authentication (OAuth 2.0) for its connection to Exchange Online. This involves several steps:
1. Ensure Prerequisites for Hybrid Modern Authentication are Met:
- Exchange Hybrid Configuration: You likely already have some form of Exchange Hybrid setup if you're trying to connect to Exchange Online. Ensure it's correctly configured and functioning.
- Azure AD Connect: Azure AD Connect must be configured and synchronizing your on-premises Active Directory with Azure AD.
- Exchange Online Configuration: Ensure Hybrid Modern Authentication is enabled in your Exchange Online tenant. You can check this using Exchange Online PowerShell:
Get-OrganizationConfig | Format-List OAuth2ClientProfileEnabled
It should return True. If not, you'll need to enable it.
- Network Connectivity: Ensure your Dynamics 365 on-premises server can communicate with the necessary Microsoft Online Services endpoints.
2. Register Dynamics 365 as an Application in Azure AD:
While you might have created an app registration for the certificate, you might need a separate registration specifically for the OAuth 2.0 connection.
- Go to the Azure Active Directory admin center.
- Navigate to App registrations.
- Click "New registration."
- Give your application a name (e.g., "Dynamics 365 On-Premise - Exchange Online").
- Select "Accounts in this organizational directory only (Single tenant)."
- For Redirect URI, you can temporarily enter a placeholder like
https://localhost. You might need to adjust this later depending on the specific authentication flow.
- Click "Register."
3. Configure API Permissions for the Dynamics 365 Azure AD Application:
You need to grant this application permissions to access Exchange Online.
- In your newly created Azure AD application, navigate to "API permissions."
- Click "Add a permission."
- Select "Microsoft Graph."
- Choose "Application permissions."
- Search for and select the following permissions (at a minimum):
Mail.Send
Mail.ReadWrite
Calendars.ReadWrite
User.Read (for user lookup)
- Click "Add permissions."
- Grant admin consent for your organization for these newly added permissions.
4. Configure Dynamics 365 v9.1 for OAuth:
This is the crucial step that tells Dynamics 365 to use modern authentication. You'll typically need to modify the configdb of your Dynamics 365 organization. This should be done with caution and ideally in a test environment first.
You'll need to use PowerShell commands to update the EmailServerProfile record to specify OAuth as the authentication type and provide the necessary Azure AD application details.
Here's a general outline of the commands (you'll need to adapt the specific values):
# Get the ID of your Exchange Online (Hybrid) Email Server Profile
$emailServerProfile = Get-CrmRecord -conn $serverConfig -EntityName emailserverprofile -WhereAttribute "name" -WhereOperator Equal -WhereValue "Your Exchange Online (Hybrid) Profile Name"
if ($emailServerProfile) {
# Set the Authentication Type to OAuth
Set-CrmRecord -conn $serverConfig -EntityName emailserverprofile -Id $emailServerProfile.emailserverprofileid -AttributeList @{"authenticationtype" = 0} # 0 for OAuth
# Set the OAuth AppId (Client ID of the Azure AD Application)
Set-CrmRecord -conn $serverConfig -EntityName emailserverprofile -Id $emailServerProfile.emailserverprofileid -AttributeList @{"oauthclientid" = "YOUR_AZURE_AD_APP_CLIENT_ID"}
# Set the OAuth Secret (Client Secret of the Azure AD Application - if applicable, though often not needed for server-to-server)
# Set-CrmRecord -conn $serverConfig -EntityName emailserverprofile -Id $emailServerProfile.emailserverprofileid -AttributeList @{"oauthsecret" = "YOUR_AZURE_AD_APP_CLIENT_SECRET"}
# Set the OAuth Token Endpoint
Set-CrmRecord -conn $serverConfig -EntityName emailserverprofile -Id $emailServerProfile.emailserverprofileid -AttributeList @{"oauthtokenendpoint" = "https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/token"}
# Set the OAuth Authorization Endpoint
Set-CrmRecord -conn $serverConfig -EntityName emailserverprofile -Id $emailServerProfile.emailserverprofileid -AttributeList @{"oauthauthorizationendpoint" = "https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/authorize"}
Write-Host "Email Server Profile updated for OAuth."
} else {
Write-Error "Email Server Profile 'Your Exchange Online (Hybrid) Profile Name' not found."
}
Replace the placeholder values with your actual information:
Your Exchange Online (Hybrid) Profile Name: The exact name of your Email Server Profile in Dynamics 365.
YOUR_AZURE_AD_APP_CLIENT_ID: The Application (client) ID of the Azure AD application you registered in step 2.
YOUR_TENANT_ID: Your Microsoft 365 tenant ID (the Directory ID in Azure AD).
Important Considerations for v9.1:
- Update Rollups: Ensure your Dynamics 365 v9.1 on-premises environment has the latest applicable update rollups installed. Support for Hybrid Modern Authentication might have been introduced in a specific update. Check the Dynamics 365 v9.1 release notes for information on OAuth support for Exchange Online integration.
- Hybrid Connector: The Dynamics 365 Hybrid Connector might play a role in facilitating this connection. Ensure it's correctly configured and running. Review its logs for any errors.
- Certificate for S2S: The certificate you configured for S2S might still be necessary for other aspects of the hybrid connection, but the authentication against EWS will now rely on OAuth.
- Testing: After making these changes, thoroughly test the connection and email sending/receiving from within Dynamics 365.
Troubleshooting After Configuration:
- Review Event Logs: Check the Event Viewer on your Dynamics 365 server for any errors related to email connectivity or authentication.
- Trace CRM Logs: Enable tracing in Dynamics 365 to get more detailed logs of the connection attempts and any errors.
- Azure AD Sign-in Logs: Monitor the sign-in logs for the Azure AD application you created to see if the authentication attempts are successful and if there are any errors reported there.
In summary, the 401 "invalid_token" error indicates that Exchange Online is expecting a modern authentication token, while Dynamics 365 v9.1 is likely trying to use an older ACS token by default. You need to configure Dynamics 365 v9.1 to use Hybrid Modern Authentication (OAuth 2.0) by registering an application in Azure AD, granting it the necessary permissions, and updating the Email Server Profile in Dynamics 365 with the Azure AD application details and setting the authentication type to OAuth.
Start by researching the specific steps and prerequisites for enabling Hybrid Modern Authentication for Exchange Online with Dynamics 365 v9.1 on-premises. The generic steps above should guide you, but consult the relevant Microsoft documentation for v9.1 for the most accurate and detailed instructions.
