如何为Exchange 2016配置混合模式以使OAuth2客户端凭据流与Microsoft Graph API一起使用
我在客户的Exchange 2016上配置了混合模式.现在,用户的邮箱使用单独的同意流(授权代码Oauth2流)在Microsoft Graph API上公开.
I configured Hybrid mode on a customer's Exchange 2016. Now users' mailboxes are exposed on the Microsoft Graph API using the individual consent flow (authorization code Oauth2 flow).
获得具有客户凭证流的管理员同意似乎可行:在Microsoft端点上检索令牌,有效负载正确(正确的作用域),但是在使用它获取邮箱内容时会触发未知错误"通过Microsoft Graph API.相同的令牌确实可以获取目录信息(这意味着该令牌在某些时候有效).
Getting an admin consent with a client credentials flow seems to work : a token is retreived on the Microsoft endpoint, the payload is correct (right scopes), but it triggers an "unknown error" when using it to get a mailbox content through the Microsoft Graph API. The same token does work to get directory information (meaning the token is valid at some point).
混合模式是否与客户端凭据流兼容?在Exchange中是否需要配置任何参数以启用此流程?
Is Hybrid mode compatible with the Client Credentials flow ? Is there any parameters to configure in Exchange to enable this flow ?
前段时间,我偶然发现了同一问题.顺其自然,因为我认为这是Exchange方面的一些错误配置.
I stumbled upon the same issue some time ago. Just let it slide, as I thought it was some wrong configuration on the Exchange side.
如果您同时检查两个令牌,则会发现Client Credentials令牌上缺少sid,我认为交换需要令牌内的某种本地用户ID才能起作用.我不确定是否支持此流程,因为我无法在他们的文档网站上找到有关此主题的任何信息.
If you inspect both tokens you'll see that the sid is missing on the Client Credentials token, I think exchange needs some sort of on-premise user id inside the token to work. I'm not sure if this flow is supported since I cannot find anything about this topic on their documentation websites.
我刚刚发现了一个完全相关的问题,请查看 https://*.com/a/56108226/639153 以获得完整答案.
I just found a totally related question, check out https://*.com/a/56108226/639153 for a complete answer.
问题实际上出在其他地方-Exchange似乎不支持client_credentials流.但是,您可以通过以下PowerShell强制执行此操作(确保在应用后重新启动IIS):
The issue is actually somewhere else - Exchange doesn't seem to support client_credentials flow. You can, however force it via following PowerShell (make sure to restart your IIS after applying):
$apps = Get-PartnerApplication
# Microsoft Graph is 2nd item in the array, if you are unsure, list the items by calling $apps first
$apps[1] | Set-PartnerApplication -AppOnlyPermissions $apps[1].ActAsPermissions
完整的解释可以在这里找到: 查看全文