Exchange 2016/Hybrid Environment and MS Graph

Question

I am trying to query events off of the Microsoft Graph API in a test 2016 hybrid/exchange environment. It appears that the user needs to have an O365 subscription for it to return events for the user, otherwise, when I query events. I get..

/users/{user}/calendarView/delta

REST API is not yet supported for this mailbox.

or..

/users/{user}/events

Resource could not be discovered.

I have a couple clarifications. I would like clarification that the expected behavior is that I can query Microsoft graph to hit an on prem exchange in a hybrid environment where the mailbox is only on prem and it should query the events from the system.

If the above is true, I will assume that we have our environment mis-configured and I am open and/or would greatly appreciate any potential suggestions to resolve the issue.

Also, I'm running with the 'Get access without a user' flow as defined here: https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service

EDIT

I did discover that when executing Get-MsolServicePrincipal | where {$_.AppPrincipalId -eq '00000002-0000-0ff1-ce00-000000000000'} | fl DisplayName,ServicePrincipalNames

I get:

DisplayName           : Office 365 Exchange Online
ServicePrincipalNames : {https://manage.protection.apps.mil, 
    https://ps.compliance.protection.outlook.com,
    https://autodiscover-s.office365.us/, 
    https://outlook.office365.us/...}

It seems like it's missing the endpoints for the on prem server which I thought was supposed to be taken care of when you run the hybrid setup. I've run that thing like 15 times now.

Answer 1

It depends on the kind of apps you are developing.

If you want to develop native and mobile apps or some web apps, you can use the OAuth 2.0 ‘authorization code’ grant flow to get a token.

If a daemon application or background services that run on a server, this app call Microsoft Graph with their own identity and not on behalf of a user that use the OAuth 2.0 ‘client credentials’ grant flow to authenticate with Azure AD and get a token.

Reference: 'Get access without a user'

https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service

Tips:

1. To configure application permissions for your app in the Microsoft App Registration Portal: under Microsoft Graph, choose Add next to Application Permissions and then select the permissions your app requires in the Select Permissions dialog.
2. Get administrator consent a. You can rely on an administrator to grant the permissions your app needs at the Azure portal; however, often, a better option is to provide a sign-up experience for administrators by using the Azure AD v2.0 /adminconsent endpoint. b. Request like this:

// Line breaks are for legibility only.

GET https://login.microsoftonline.com/{tenant}/adminconsent

?client_id=6731de76-14a6-49ae-97bc-6eba6914391e

&state=12345

&redirect_uri=http://localhost/myapp/permissions