{"id":16152,"date":"2023-03-29T03:45:29","date_gmt":"2023-03-29T03:45:29","guid":{"rendered":"https:\/\/www.insentragroup.com\/us\/insights\/uncategorized\/exchange-hybrid-part-2-oauth-and-ioc-learn-about-oauth-iocs-and-s2s-oauth-2-0-flow-chart\/"},"modified":"2024-09-20T03:34:57","modified_gmt":"2024-09-20T03:34:57","slug":"exchange-hybrid-part-2-oauth-and-ioc-learn-about-oauth-iocs-and-s2s-oauth-2-0-flow-chart","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/us\/insights\/geek-speak\/modern-workplace\/exchange-hybrid-part-2-oauth-and-ioc-learn-about-oauth-iocs-and-s2s-oauth-2-0-flow-chart\/","title":{"rendered":"Exchange Hybrid Part 2: OAuth and IOC &#8211; Learn about OAuth, IOCs, and S2S OAuth 2.0 flow chart"},"content":{"rendered":"\n<p>In <a href=\"https:\/\/www.insentragroup.com\/us\/insights\/geek-speak\/modern-workplace\/a-hybrid-discussion-part-1-comparing-hybrid-dauth-and-hybrid-oauth\/\" target=\"_blank\" rel=\"noreferrer noopener\">part one<\/a> of this series covering Exchange Hybrid, we went over DAuth and OAuth and briefly described why Microsoft switched their Exchange Hybrid configuration to OAuth for Exchange delegation.\u00a0<\/p>\n\n\n\n<p>In part two of this series, we will take a look at how OAuth is used when establishing an Exchange Hybrid configuration (which federates your Exchange on-premises organization with Exchange Online) and review the InraOrganization Connector (IOC).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">IntraOrganization Connector (IOC)<\/h2>\n\n\n\n<p>With the newer hybrid configuration, Microsoft creates one connector that points to Exchange Online and one connector that points to Exchange on-premises. These are called IntraOrganization Connector (or you can simply refer to them as intraorg connectors or IOCs) These IOCs tell each side how to communicate with the other side. Basically, they are pointers for the hybrid configuration.&nbsp;<\/p>\n\n\n\n<p>If you connect to your Exchange on-premises management shell and typed Get-IntraOrganizationConnector, you\u2019ll see a number of parameters, including the following:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>TargetAddressDomains \u2013 this will point to the &lt;companyname&gt;.mail.onmicrosoft.com domain&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DiscoveryEndPoint \u2013 this will point to the Autodiscover servers for Exchange Online&nbsp;<\/li>\n\n\n\n<li>Enabled \u2013 Should be set to \u2018True\u2019 if the OAuth configuration was successful. If set to \u2018False\u2019, then that means your OAuth configuration probably failed during the HCW and it is not falling back to the legacy DAuth for the connection requests&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">S2S OAuth 2.0<\/h2>\n\n\n\n<p>The name that Microsoft has given for its OAuth integration is S2S OAuth 2.0. S2S, standing for server-to-server authentication. Now, if you are really interested in getting a deep dive in this protocol, then you are in luck, here is an in-depth link that will gratify all of your OAuth 2.0 desires!&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/openspecs\/exchange_server_protocols\/ms-xoauth\/0b717658-4ceb-4401-9da9-7860c9ca2f2f\" rel=\"nofollow noopener\" target=\"_blank\">https:\/\/learn.microsoft.com\/en-us\/openspecs\/exchange_server_protocols\/ms-xoauth\/0b717658-4ceb-4401-9da9-7860c9ca2f2f<\/a><\/p>\n\n\n\n<p>All joking aside, I just want us to focus on how these connections and requests are made. Microsoft has the following flow chart diagramed (full steps are detailed in this <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/exchange-team-blog\/deep-dive-how-hybrid-authentication-really-works\/ba-p\/606780\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">link<\/a>) which details how a free\/busy request is made from on-premises to Exchange online:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"929\" height=\"509\" src=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/03\/image-35.png\" alt=\"\" class=\"wp-image-16153\" srcset=\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/03\/image-35.png 929w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/03\/image-35-300x164.png 300w, https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/03\/image-35-768x421.png 768w\" sizes=\"(max-width: 929px) 100vw, 929px\" \/><\/figure>\n\n\n\n<p>There\u2019s a lot of steps to get the free\/busy response back, but those steps are completed within an instant. Mary wants to see Joe\u2019s calendar, so in the background, the Exchange server receiving the request looks up the target info, finds that Joe\u2019s mailbox is in Exchange Online via Autodiscover. OAuth tokens are generated (two, as you\u2019ll note) to verify the requesting side and responding side. Once verified (via the Azure Auth Service), the free\/busy response for Joe\u2019s mailbox is sent back to the Exchange on-premises server and into Mary\u2019s mailbox. Mary can now see if Joe is free or busy when scheduling a meeting.&nbsp;<\/p>\n\n\n\n<p>The same steps apply for requests coming from Exchange Online to Exchange on-premises.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Up Next<\/h2>\n\n\n\n<p>Up <a href=\"https:\/\/www.insentragroup.com\/us\/insights\/geek-speak\/modern-workplace\/exchange-hybrid-conclusion-and-wrap-up-a-hybrid-discussion-part-3\/\" target=\"_blank\" rel=\"noreferrer noopener\">next<\/a> in the final part of this series, discover more features of Exchange Online federation. <a href=\"https:\/\/www.insentragroup.com\/us\/contact\/\" target=\"_blank\" rel=\"noreferrer noopener\">Contact Insentra<\/a> for expert guidance on planning and implementing your Exchange hybrid deployment, including IOC, OAuth 2.0, and more.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Learn about how OAuth is used for Exchange Hybrid configuration and IntraOrganization Connectors (IOCs) in Part 2 of this series. Get a detailed flow chart of S2S OAuth 2.0 and how requests are made between on-premises and Exchange Online. <\/p>\n","protected":false},"author":71,"featured_media":16155,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[19],"tags":[],"class_list":["post-16152","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-modern-workplace","entry"],"_links":{"self":[{"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/posts\/16152","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/users\/71"}],"replies":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/comments?post=16152"}],"version-history":[{"count":2,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/posts\/16152\/revisions"}],"predecessor-version":[{"id":16157,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/posts\/16152\/revisions\/16157"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/media\/16155"}],"wp:attachment":[{"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/media?parent=16152"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/categories?post=16152"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.insentragroup.com\/us\/wp-json\/wp\/v2\/tags?post=16152"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}