How to achieve Hybrid Authentication using Microsoft Graph API

Disha Hegde 1 Reputation point
2022-09-06T12:02:35.867+00:00

I have an app which supports Basic Authentication using Exchange Web Services and also supports Modern Authentication for Exchange Online using Microsoft Graph APIs.

Now I have a requirement to support Hybrid Authentication in the same application.

So, Is Hybrid authentication supported via Microsoft Graph? And will the access token and rest endpoints flow be same for Hybrid and Modern auth using Microsoft Graph?

If yes, How will I get the Rest end points which needs to be accessed to get access token and other user data like events in Hybrid authentication?

Also, I went through the following documentation and found that Rest API support is deprecated

https://learn.microsoft.com/en-us/graph/hybrid-rest-support

In this case, how do I achieve hybrid authentication in the same application?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,287 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Glen Scales 4,436 Reputation points
    2022-09-07T00:06:46.44+00:00

    If you have OnPrem mailboxes in a hybrid Exchange Org then you need to use EWS to access those OnPrem mailboxes as you have already found the Graph support https://learn.microsoft.com/en-us/graph/hybrid-rest-support the Outlook Rest endpoints have also been depreciated https://learn.microsoft.com/en-us/previous-versions/office/office-365-api/api/version-2.0/use-outlook-rest-api

    Hybrid Modern Authentication will work in EWS as long as it's been configured https://learn.microsoft.com/en-us/microsoft-365/enterprise/hybrid-modern-auth-overview?view=o365-worldwide

    In EWS to use Hybrid Modern Authentication you just request a Token from Azure with the audience of your OnPrem EWS endpoint, if your using the client credentials flow in the Graph you can also use that in EWS using a scope like https://localews.endpoint.com/.default or if its a delegate flow https://localews.endpoint.com/EWS.AccessAsUser.All. You do need to make sure the permission are added and consented to in you application registration like https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth

    If you just want to check if hybrid Modern Authentication is enable on the local EWS endpoint you can do a blank bearer request on the EWS endpoint eg

            public void CheckForHybridModernAuthenticationv2(string ewsUrl)  
            {      
                  
                using (HttpClient client = new HttpClient())  
                {  
                    client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", "");  
                    var authTestResult = client.GetAsync(ewsUrl).GetAwaiter().GetResult();  
                    foreach (var wwwAuthHeader in authTestResult.Headers.WwwAuthenticate)  
                    {  
                        Console.WriteLine(wwwAuthHeader.Scheme);  
                        Console.WriteLine(wwwAuthHeader.Parameter);  
                    }  
                }  
            }  
    

    What you should get back in the wwwAuthHeader is something like

    238366-image.png

    both the authorization_uri and trusted issuer is telling you that its ready to go with Hybrid Modern Auth

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.