我在客户的 Exchange 2016 上配置了混合模式.现在用户的邮箱使用个人同意流(授权代码 Oauth2 流)在 Microsoft Graph API 上公开.

通过客户端凭据流程获得管理员同意似乎有效:在 Microsoft 端点上检索到令牌，有效负载是正确的(正确的范围)，但在使用它获取邮箱内容时会触发未知错误"通过 Microsoft Graph API.相同的令牌确实可以获取目录信息(意味着令牌在某些时候有效).

混合模式是否与客户端凭据流兼容?是否需要在 Exchange 中配置任何参数来启用此流程?

前段时间我偶然发现了同样的问题.让它滑动，因为我认为这是 Exchange 端的一些错误配置.

如果您检查两个令牌，您会发现客户端凭据令牌上缺少 sid，我认为交换需要令牌内的某种本地用户 ID 才能工作.我不确定是否支持此流程，因为我在他们的文档网站上找不到有关此主题的任何内容.

我刚刚发现了一个完全相关的问题，请查看 https://stackoverflow.com/a/56108226/639153以获得完整的答案.

问题实际上出在其他地方 - Exchange 似乎不支持 client_credentials 流.但是，您可以通过以下 PowerShell 强制执行此操作(确保在应用后重新启动 IIS):

$apps = Get-PartnerApplication# Microsoft Graph 是数组中的第二个项目，如果不确定，请先调用 $apps 列出项目$apps[1] |Set-PartnerApplication -AppOnlyPermissions $apps[1].ActAsPermissions

完整的解释可以在这里找到:https://blog.thenetw.org/2019/05/13/using-client_credentials-with-microsoft-graph-in-hybrid-exchange-setup/

I configured Hybrid mode on a customer's Exchange 2016. Now users' mailboxes are exposed on the Microsoft Graph API using the individual consent flow (authorization code Oauth2 flow).

Getting an admin consent with a client credentials flow seems to work : a token is retreived on the Microsoft endpoint, the payload is correct (right scopes), but it triggers an "unknown error" when using it to get a mailbox content through the Microsoft Graph API. The same token does work to get directory information (meaning the token is valid at some point).

Is Hybrid mode compatible with the Client Credentials flow ? Is there any parameters to configure in Exchange to enable this flow ?

I stumbled upon the same issue some time ago. Just let it slide, as I thought it was some wrong configuration on the Exchange side.

If you inspect both tokens you'll see that the sid is missing on the Client Credentials token, I think exchange needs some sort of on-premise user id inside the token to work. I'm not sure if this flow is supported since I cannot find anything about this topic on their documentation websites.

I just found a totally related question, check out https://stackoverflow.com/a/56108226/639153 for a complete answer.

The issue is actually somewhere else - Exchange doesn't seem to support client_credentials flow. You can, however force it via following PowerShell (make sure to restart your IIS after applying):

$apps = Get-PartnerApplication
# Microsoft Graph is 2nd item in the array, if you are unsure, list the items by calling $apps first
$apps[1] | Set-PartnerApplication -AppOnlyPermissions $apps[1].ActAsPermissions

The full explanation can be found here: https://blog.thenetw.org/2019/05/13/using-client_credentials-with-microsoft-graph-in-hybrid-exchange-setup/