Dynamics 365 V9.1 on premise integration with exchange online error 401 bad token

(6) Share

Report

Posted on by AP-19041205-0

We are to integrate Dynamics 365 V9.1 on premise with exchange online.

The procedure described by Microsoft page is followed step by step

- The Dynamics 365 hybrid connector is installed

- The app required to register the certificate is created on the tenant

- A valid certificate required for the S2S setup is installed in the CRM and deployed with the script provided on Github, the scrip is executed with success and the certificate deployment is checked

- The email server profile (Exchange online hybrid) is created.

The issue start with the connectivity test. CRM request an ACS token presented to EWS and the return is an error 401 because EWS doesn't expect this token issued by ACS.

EWS receive a request but the token presented is not accepted:

WWW-Authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000@*", token_types="app_asserted_user_v1 service_asserted_app_v1", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", error="invalid_token"

The procedure for the setup is follow step by step. We are blocked.

Does someone meet the same issue in the forum, all the good idea are welcome.

We went in detail on the analysed tracing the traffic for the connection. The conclusion is ACS is not supported, or perhaps supported if some condition are met.

Categories:

Dynamics 365 general

I have the same question (0)

All responses (11)

Answers (1)

CU21051753-0 7 on at

Like (0)

Report

Dynamics 365 V9.1 on premise integration with exchange online error 401 bad token

This is the reply I got from support. I've sent them my tenant ID, so hopefully when they whitelist it, it will work.

The reason for contacting you is that I understand that you are experiencing an issue with the Microsoft Dynamics 365 Hybrid Connector, which is no longer deployed correctly to Office 365 tenants. I hope my understanding of the reported issue is correct.

For better focus on this support request, I will suggest scoping it, and when I have provided you with a solution or workaround for the reported issue described within the issue definition section provided, we can consider this ticket as resolved.

Here to confirm that I have received your case. We would like to inform you that the issue you are experiencing is a known one, and several other customers have reported similar behavior. Our Product Group is actively investigating the root cause to implement a long-term solution.

To assist you further and expedite the resolution, we kindly request the Tenant ID of the affected one. This will allow our Product Group to whitelist your tenant and help unblock the issue on your side.

Please rest assured that we are treating this matter with high priority and will keep you updated as we progress.

1 people found this reply helpful.

Was this reply helpful? Yes No
AP-19041205-0 51 on at

Like (0)

Report

Dynamics 365 V9.1 on premise integration with exchange online error 401 bad token

Hello Craig, I am saying ACS was active and when Dynamics 365 on prem contacted ACS we received the token.

But the token was rejected by exchange online, because ACS was not configured with exchange online.

Microsoft configured the tenant to allow ACS to work with exchange online.

As you say there is the official communication provided on internet and there is the reality about the end of life of ACS.

It depends on where each of us we are in the movement to the cloud, Microsoft knows that and configured the tenant.

As I said we are in a case by case discussion with Microsoft.

Regards

Angelo

1 people found this reply helpful.

Was this reply helpful? Yes No
CW-11121959-0 51 on at

Like (0)

Report

Dynamics 365 V9.1 on premise integration with exchange online error 401 bad token

Hi Angelo,

Are you saying that after ACS was enabled in Exchange online the email integration started to work and that Microsoft had to enable it?

According to MS Azure ACS will be fully retired as of April 2nd, 2026. (Azure ACS retirement in Microsoft 365 | Microsoft Learn)

Thanks,

Craig

Was this reply helpful? Yes No
Verified answer

AP-19041205-0 51 on at

Like (0)

Report

Dynamics 365 V9.1 on premise integration with exchange online error 401 bad token

Hi Craig, for us the issue is fixed.

In fact ACS in the tenant was responding to the request generated by the CRM.

Just exchange was not accepting it.

In fact discussing with Microsoft the Dynamics 365 Hybrid connector was reconfigured to allow exchange to accept ACS token.

This traffic is monitored.

The script provided was used to deploy the S2S certificate on the tenant.

Microsoft for the new tenant don't activate ACS but for existing tenant configured to work in the past with the integration provided to

support connection coming from Dynamics 365 On prem ACS is here but deactivated for the integration with exchange online.

It will depend of the relationship you have with Microsoft and the importance of the pain created by this situation for your business.

Regards

Angelo

1 people found this reply helpful.

Was this reply helpful? Yes No
CW-11121959-0 51 on at

Like (0)

Report

Dynamics 365 V9.1 on premise integration with exchange online error 401 bad token

Any good news on this Angelo?

I am in the same boat. ACS is disabled on Exchange Online so the MS documentation and scripts are useless.

I can't find any reliable documentation on using OAuth 2.0 with client/secret.

Thanks again,

Craig

Was this reply helpful? Yes No
CU21051753-0 7 on at

Like (0)

Report

Dynamics 365 V9.1 on premise integration with exchange online error 401 bad token

I'm having the same issue on a new Office 365 tenant, but it works fine on an old one.

The only difference I can see is that the old one has a Microsoft system app in Entra called 'CRMHybridConnector', but the new one doesn't (the hybrid connector has been 'purchased').

I've opened a support ticket too.

Was this reply helpful? Yes No
AP-19041205-0 51 on at

Like (1)

Report

Dynamics 365 V9.1 on premise integration with exchange online error 401 bad token

Hello Craig,

No response for the moment. We are waiting a feedback from Microsoft.

The documentation online is referencing ACS in the setup. But ACS is not supported for EWS.

The release note related to the cumulative update say nothing on this subject.

The documentation reference also a specific URL to use for US and it's also related to ACS.

The cloud integration is using EWS with Dynamics 365 on premise.

A recent communication from Microsoft says for non-Microsoft app , EWS requests will be blocked from October 2026.

Retirement of Exchange Web Services in Exchange Online | Microsoft Community Hub

I asked to clarify what Microsoft call non-Microsoft app. Is Dynamics 365 on prem considered as supported or not?

Angelo

Was this reply helpful? Yes No
CW-11121959-0 51 on at

Like (0)

Report

Dynamics 365 V9.1 on premise integration with exchange online error 401 bad token

Hello Angelo,

Have you been able to connect your on-premise dynamics to exchange online? I am being asked to do the same but after reading the documentation I am still unclear on how to proceed.

Thanks,
Craig

Was this reply helpful? Yes No
AP-19041205-0 51 on at

Like (0)

Report

Dynamics 365 V9.1 on premise integration with exchange online error 401 bad token

As you mention , the script was generated , assisted by AI.

I can't trust this script for several reason , the member referenced in the script don't exist in the emailserverprofile.

you can verify this in the Microsoft page describing the entity fields

emailserverprofile EntityType (Microsoft.Dynamics.CRM) | Microsoft Learn

The version we are using is V9.1 with the rollup update 9.1.17.29

Looking all the release note coming after this version, there is no information in relation with the modern authorization supported by CRM to work with exchange online.

I checked all the version coming after 9.1.17.29, there is nothing in the release note about the modern authorization with exchange support for CRM.

Only the version 9.1.36.12 as a specific point for Sharepoint online integration :

Create an Azure application for Dynamics 365 Customer Engagement (on-premises) with SharePoint permissions | Microsoft Learn

And as I said previously , we have no official page provided on Microsoft page presenting how Dynamics 365 V9.1 on prem can be integrated with exchange online.

Regards

Angelo

Was this reply helpful? Yes No
AP-19041205-0 51 on at

Like (0)

Report

Dynamics 365 V9.1 on premise integration with exchange online error 401 bad token

Thanks a lot Daivat Vartak for your detailed response

The script I am referencing is provided by Microsoft on this page:

Connect Exchange Online to Dynamics 365 Customer Engagement (on-premises) | Microsoft Learn

If you look this page you will see a reference to a script on Github adapted, to deploy the S2S certificate on the tenant.

My question what becomes the S2S authentication. If you look the script the certificate is associate to the global identifier corresponding to dataverse.

Does this part remain in the process to allow Dynamics 365 on prem to be recognized by exchange or this process completly fall with the Modern authentication approach you propose.

More crazy, it's now several time ACS is replaced, but how the official page are continuing to reference this process.

What become the S2S certificate in this new approach, the same S2S beeing also used by exchange on prem we use today and we would do the same in the next step, using exchange online.

The question that remain is the S2S certificate in the approach you propose and worst why in the official page, we have nothing presenting this new process.

You will observe the scripts on Github was updated recently, and nobody think if they remain applicable.

Your point of view about how remain the S2S authentication in this new process will be very nice to know.

Regards

Angelo

Was this reply helpful? Yes No