401 Access denied error when you run the Test-OAuthConnectivity cmdlet

  • Article
  • Applies to:
    Exchange Online, Exchange Server 2013 Enterprise, Exchange Server 2013 Standard Edition

Original KB number:   3090197

Symptoms

When you run the Test-OAuthConnectivity cmdlet to test OAuth authentication for a user, the operation fails, and you receive a message that resembles the following:

401 Access denied

Cause

This issue can occur if one of the following conditions is true:

  • The service principal name (SPN) that's required for OAuth authentication is missing.
  • You're testing an account that's not synchronized between the on-premises environment and Microsoft Exchange Online.

Resolution

To fix this issue, take one of the following actions, as appropriate for your situation.

Scenario 1 - The SPN is missing

Note

Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024. To learn more, read the deprecation update. After this date, support for these modules are limited to migration assistance to Microsoft Graph PowerShell SDK and security fixes. The deprecated modules will continue to function through March, 30 2025.

We recommend migrating to Microsoft Graph PowerShell to interact with Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption after June 30, 2024.

  1. Open the Exchange Management Shell.

  2. Run the following command:

    Get-IntraOrganizationConfiguration

    Notice the values that are returned for OnPremisesDiscoveryEndPoint and OnPremisesWebServiceEndPoint.

  3. Run the following command:

    (Get-MsolServicePrincipal -ServicePrincipalName "00000002-0000-0ff1-ce00-000000000000").ServicePrincipalNames

    Check whether the domain names that are listed for the endpoints are returned.

  4. If the domains names aren't returned, use the Set-MsolServicePrincipal cmdlet to add them.

    For example, the following command adds the mail.contoso.com domain.

    $AppId = (Get-MsolServicePrincipal -ServicePrincipalName "00000002-0000-0ff1-ce00-000000000000").AppPrincipalId
Set-MsolServicePrincipal -AppPrincipalId $AppId -ServicePrincipalNames @("mail.contoso.com")

Scenario 2 - You're using an account that isn't synchronized between the on-premises environment and Exchange Online

When you run the Test-OAuthConnectivity cmdlet, make sure that you use an account that's synchronized between the on-premises environment and Exchange Online. For example, you'll encounter this issue if you use an on-premises administrator account.

In the following example, Fred is a user account that's synchronized between the on-premises environment and Exchange Online.

Test-OAuthConnectivity -Service EWS -TargetUri https://cas.contoso.com/ews/ -Mailbox "Fred"

More information

Still need help? Go to Microsoft Community or the Microsoft Q&A.