Testing Outlook Mobile Hybrid Modern Authentication (HMA) failed

Question

Testing Outlook Mobile Hybrid Modern Authentication (HMA) failed

Huig Guijt 0

Running Microsoft Remote Connectivity Analyzer ends with this error message:

Analyzing the Bearer token response from the on-premises Exchange ActiveSync (EAS) service.

Analyzing the Bearer token response from the on-premises Exchange ActiveSync (EAS) service failed.

Additional Details

The Bearer response header did not contain the expected authorization URL value login..../common/ oauth2 / authorize

I have successfully ran the HCW recently and Test-OAuthConnectivity works just fine.

Mukesh D 30 Reputation points

2026-02-18T01:04:14.81+00:00
It seems like the test is failing because the token from your on-prem Exchange ActiveSync service isn’t showing the expected authorization URL. Since you said Test-OAuthConnectivity works and the HCW completed fine, the problem is likely just how the Remote Connectivity Analyzer is checking the EAS token.

A few things you could do:

• Check that your Exchange EAS virtual directories are set up for Modern Authentication. • Make sure the OAuth certificate on your server is valid and not expired. • See if any firewalls or proxies are changing the token headers. • Try signing in with Outlook Mobile—sometimes the analyzer flags issues that don’t actually affect real clients.

If your mobile client works, you’re probably okay, but it’s worth double-checking the EAS OAuth setup just to be sure.
Huig Guijt 0 Reputation points

2026-02-18T11:25:57.3566667+00:00
Thanks for you suggestions:

I already enabled OAuth on the virtual dirs

certs are up to date

I suspect the loadbalancer for breaking things with SSL Offloading

Sign in fails in Outlook Mobile

2 answers

Your answer

Mukesh D 30 Reputation points

2026-02-18T01:04:14.81+00:00

It seems like the test is failing because the token from your on-prem Exchange ActiveSync service isn’t showing the expected authorization URL. Since you said Test-OAuthConnectivity works and the HCW completed fine, the problem is likely just how the Remote Connectivity Analyzer is checking the EAS token.

A few things you could do:

• Check that your Exchange EAS virtual directories are set up for Modern Authentication. • Make sure the OAuth certificate on your server is valid and not expired. • See if any firewalls or proxies are changing the token headers. • Try signing in with Outlook Mobile—sometimes the analyzer flags issues that don’t actually affect real clients.

If your mobile client works, you’re probably okay, but it’s worth double-checking the EAS OAuth setup just to be sure.
Huig Guijt 0 Reputation points

2026-02-18T11:25:57.3566667+00:00

Thanks for you suggestions:

I already enabled OAuth on the virtual dirs

certs are up to date

I suspect the loadbalancer for breaking things with SSL Offloading

Sign in fails in Outlook Mobile

Answer 1

Hi @Huig Guijt

Thank you for posting your question in the Q&A Forum.

While the Remote Connectivity Analyzer can be strict with header validation, the specific error about the missing authorization URL generally indicates that the ActiveSync virtual directory is not correctly advertising OAuth.

This can occur even when the Hybrid Configuration Wizard and Test-OAuthConnectivity both succeed. Those tests confirm the OAuth trust, but Hybrid Modern Authentication for Outlook Mobile also requires the ActiveSync (EAS) virtual directory to broadcast OAuth support.

Please verify the following on your Exchange server (run in an elevated Exchange Management Shell):

Get-ActiveSyncVirtualDirectory | FL Identity, ExternalURL, InternalAuthenticationMethods, ExternalAuthenticationMethods

If OAuth is not listed in either InternalAuthenticationMethods or ExternalAuthenticationMethods, HMA will not initiate correctly for Outlook Mobile even if the hybrid trust is fully established.

You can enable OAuth for both methods with:

Set-ActiveSyncVirtualDirectory -Identity "ServerName\Microsoft-Server-ActiveSync (Default Web Site)" `
    -InternalAuthenticationMethods Basic,OAuth `
    -ExternalAuthenticationMethods Basic,OAuth
iisreset

Note: Replace ServerName with your actual server’s name. This RCA error is commonly seen when OAuth is enabled at the organization level but not on the EAS virtual directory.

For deeper validation, you may also use Microsoft’s Test‑HMAEAS script, which provides more precise insight into how the Bearer challenge is returned: https://microsoft.github.io/CSS-Exchange/Hybrid/Test-HMAEAS/

Feel free to update the thread with the result of the OAuthAuthentication check.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Huig Guijt 0 Reputation points

2026-02-18T09:57:23.1833333+00:00

I did enable OAuth on both Internal and ExternalAuthenticationMethods. Test‑HMAEAS gives me an empty bearer challenge response.
Jade-T 10,785 Reputation points Microsoft External Staff Moderator

2026-02-19T08:04:03.6933333+00:00

Hi @Huig Guijt

Since Test‑HMAEAS is still returning an empty Bearer challenge, it suggests that the ActiveSync endpoint isn’t providing the necessary OAuth headers for Hybrid Modern Authentication. As per Microsoft’s HMA guidance, this usually involves ensuring the virtual directories are advertising the correct methods and that the service URLs are properly registered in Entra ID.

At this stage, the behavior you’re seeing involves deeper Exchange Hybrid and EAS token handling. I’d recommend checking the Microsoft Tech Community, where many Exchange specialists and product engineers are active. They can offer more targeted insights into these advanced HMA scenarios: https://techcommunity.microsoft.com/tag/exchange

If you decide to post there, feel free to share the link here so others following this thread can track the discussion and the eventual solution.

Answer 2

The error you are encountering with the Bearer token response from the on-premises Exchange ActiveSync (EAS) service indicates that the expected authorization URL value is missing. This could be due to several reasons related to the configuration of your on-premises environment.

Here are some troubleshooting steps you can take:

Check AutoDiscover and ActiveSync Configuration: Ensure that your AutoDiscover and ActiveSync endpoints are correctly configured. If the AutoDiscover endpoint can't be reached, there may be firewall or load balancer issues.
Verify the ActiveSync Endpoint: Make sure that the ActiveSync endpoint is returning the correct authorization URL. You can check this by executing the appropriate scripts to validate the Hybrid Modern Authentication setup.
EvoSTS Configuration: Verify that the EvoSTS authentication server is configured correctly as the default endpoint. You can check this using the Exchange Management Shell command: Get-AuthServer EvoSts | Format-List IsDefaultAuthorizationEndpoint.
SSL/TLS Offloading: If SSL/TLS offloading is in place, it may cause issues with the Bearer token due to mismatched protocol values. Ensure that SSL/TLS offloading is not interfering with the OAuth flows.
Refresh Auth Metadata: If the EvoSTS certificate metadata is out of date, you can refresh it manually using the command: Set-AuthServer EvoSts -RefreshAuthMetadata.

Since you mentioned that Test-OAuthConnectivity works fine, it suggests that the basic OAuth configuration is correct, but there may be specific issues with the ActiveSync setup or the Bearer token response.

Following these steps should help you identify and resolve the issue with the Bearer token response.

Share via

Testing Outlook Mobile Hybrid Modern Authentication (HMA) failed

2 answers

Your answer