401 Access denied error when you run the Test-OAuthConnectivity cmdlet
Original KB number: 3090197
Symptoms
When you run the Test-OAuthConnectivity
cmdlet to test OAuth authentication for a user, the operation fails, and you receive a message that resembles the following:
401 Access denied
Cause
This issue can occur if one of the following conditions is true:
- The service principal name (SPN) that's required for OAuth authentication is missing.
- You're testing an account that's not synchronized between the on-premises environment and Microsoft Exchange Online.
Resolution
To fix this issue, take one of the following actions, as appropriate for your situation.
Scenario 1 - The SPN is missing
Note
Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024. To learn more, read the deprecation update. After this date, support for these modules are limited to migration assistance to Microsoft Graph PowerShell SDK and security fixes. The deprecated modules will continue to function through March, 30 2025.
We recommend migrating to Microsoft Graph PowerShell to interact with Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption after June 30, 2024.
Open the Exchange Management Shell.
Run the following command:
Get-IntraOrganizationConfiguration
Notice the values that are returned for
OnPremisesDiscoveryEndPoint
andOnPremisesWebServiceEndPoint
.Run the following command:
(Get-MsolServicePrincipal -ServicePrincipalName "00000002-0000-0ff1-ce00-000000000000").ServicePrincipalNames
Check whether the domain names that are listed for the endpoints are returned.
If the domains names aren't returned, use the
Set-MsolServicePrincipal
cmdlet to add them.For example, the following command adds the
mail.contoso.com
domain.$AppId = (Get-MsolServicePrincipal -ServicePrincipalName "00000002-0000-0ff1-ce00-000000000000").AppPrincipalId Set-MsolServicePrincipal -AppPrincipalId $AppId -ServicePrincipalNames @("mail.contoso.com")
Scenario 2 - You're using an account that isn't synchronized between the on-premises environment and Exchange Online
When you run the Test-OAuthConnectivity
cmdlet, make sure that you use an account that's synchronized between the on-premises environment and Exchange Online. For example, you'll encounter this issue if you use an on-premises administrator account.
In the following example, Fred is a user account that's synchronized between the on-premises environment and Exchange Online.
Test-OAuthConnectivity -Service EWS -TargetUri https://cas.contoso.com/ews/ -Mailbox "Fred"
More information
Still need help? Go to Microsoft Community or the Microsoft Q&A.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for