What is OAuth in Exchange Server?

OAuth (Open Authorization) is a token-based authentication protocol that Exchange uses for server-to-server authentication with Microsoft 365, SharePoint, and Skype for Business. In hybrid deployments, OAuth enables features like cross-premises free/busy, MailTips, and message tracking. OAuth replaces or supplements traditional Windows authentication for these scenarios.

Why does OAuth token validation fail in hybrid environments?

Common reasons include: expired OAuth certificates, misconfigured partner applications in Azure AD, incorrect IntraOrganizationConnector settings, time synchronization issues (tokens are time-sensitive), revoked or rotated certificates that haven't been updated on-premises, and firewall blocking communication with Azure AD endpoints.

How do I renew the Exchange OAuth certificate?

Use the Get-AuthConfig cmdlet to check the current certificate. Create a new self-signed certificate with New-ExchangeCertificate, then use Set-AuthConfig to configure it. The certificate must be published to Azure AD using the Microsoft 365 Exchange Hybrid Configuration Wizard or manual PowerShell commands. The old certificate can be removed after verification.

Can OAuth issues affect on-premises only Exchange?

Yes, even without Microsoft 365 hybrid, OAuth is used for server-to-server authentication within Exchange organization, SharePoint integration, and Skype for Business. OAuth configuration errors can affect cross-site authentication in multi-site deployments, eDiscovery, and in-place archiving features.

What is OAuth in Exchange Server?

OAuth (Open Authorization) is a token-based authentication protocol that Exchange uses for server-to-server authentication with Microsoft 365, SharePoint, and Skype for Business. In hybrid deployments, OAuth enables features like cross-premises free/busy, MailTips, and message tracking. OAuth replaces or supplements traditional Windows authentication for these scenarios.

Why does OAuth token validation fail in hybrid environments?

Common reasons include: expired OAuth certificates, misconfigured partner applications in Azure AD, incorrect IntraOrganizationConnector settings, time synchronization issues (tokens are time-sensitive), revoked or rotated certificates that haven't been updated on-premises, and firewall blocking communication with Azure AD endpoints.

How do I renew the Exchange OAuth certificate?

Use the Get-AuthConfig cmdlet to check the current certificate. Create a new self-signed certificate with New-ExchangeCertificate, then use Set-AuthConfig to configure it. The certificate must be published to Azure AD using the Microsoft 365 Exchange Hybrid Configuration Wizard or manual PowerShell commands. The old certificate can be removed after verification.

Can OAuth issues affect on-premises only Exchange?

Yes, even without Microsoft 365 hybrid, OAuth is used for server-to-server authentication within Exchange organization, SharePoint integration, and Skype for Business. OAuth configuration errors can affect cross-site authentication in multi-site deployments, eDiscovery, and in-place archiving features.

Event ID 1003: OAuth Token Validation Failed

Error Overview

Event ID 1003: OAuth Token Validation Failed

"OAuth token validation failed. Error: Token validation failed. Partner application: 00000002-0000-0ff1-ce00-000000000000. Token issuer: https://sts.windows.net/tenant-guid/. Error details: The token has expired."

What This Error Means

Event ID 1003 indicates that Exchange Server could not validate an OAuth token presented for authentication. This affects hybrid deployments with Microsoft 365, cross-premises features like free/busy sharing, and integrations with SharePoint and Skype for Business. OAuth failures break these trust relationships.

Features Using OAuth

• Hybrid Free/Busy lookups
• Cross-premises MailTips
• Message tracking
• eDiscovery across premises
• SharePoint integration

OAuth Components

• Auth certificate
• Partner applications
• Authorization servers
• IntraOrganizationConnector
• Azure AD registration

⚠️

Version Notice

This guide applies to Exchange Server 2016, 2019, and Subscription Edition, particularly in hybrid deployments with Microsoft 365. OAuth configuration varies slightly between versions but core concepts remain the same.

Symptoms & Detection

User-Reported Symptoms

✗Free/Busy shows "No information" for cloud users
✗MailTips not working across premises
✗Unable to access cloud archives
✗Teams calendar integration failing
✗Message tracking across hybrid incomplete

Administrator Detection

→Event ID 1003 in Application log
→Test-OAuthConnectivity failures
→Hybrid Configuration Wizard errors
→Auth certificate expiration warnings
→Azure AD application registration issues

Event Log Entry Example

Log Name:      Application
Source:        MSExchange OAuth
Event ID:      1003
Level:         Error
Description:   OAuth token validation failed.

Error Details:
    Error Code: TokenValidationFailed
    Partner Application: 00000002-0000-0ff1-ce00-000000000000
    Token Issuer: https://sts.windows.net/<tenant-guid>/
    Error Message: The token has expired.

Token Details:
    Audience: https://outlook.office365.com
    Subject: user@contoso.com
    Token Lifetime: Expired 2 hours ago

Recommended Actions:
    1. Check OAuth certificate validity
    2. Verify partner application configuration
    3. Check time synchronization
    4. Run Test-OAuthConnectivity cmdlet

Common Causes

Expired OAuth Certificate

The Exchange OAuth certificate used for signing tokens has expired. This certificate is created during hybrid configuration and has a default lifetime of 5 years but must be renewed before expiration.

Check: Get-AuthConfig | Select-Object CurrentCertificateThumbprint, then Get-ExchangeCertificate with that thumbprint to check NotAfter date.

Time Synchronization Issues

OAuth tokens include timestamps and are only valid for a specific time window. If server time is significantly off from Azure AD's time, tokens appear expired even when newly issued.

Tolerance: OAuth typically allows 5-minute clock skew. Ensure servers sync to reliable NTP source.

Partner Application Misconfiguration

Azure AD partner applications or Exchange authorization servers are not properly configured. This often happens after tenant changes, certificate rotations, or incomplete hybrid wizard runs.

Verify: Get-PartnerApplication and Get-AuthServer to check configuration matches Azure AD settings.

Certificate Not Published to Azure AD

New or renewed OAuth certificate exists on-premises but the public key has not been uploaded to Azure AD. Azure AD cannot validate tokens signed with unknown certificates.

Fix: Re-run Hybrid Configuration Wizard or manually upload certificate public key using Azure AD PowerShell.

Firewall Blocking OAuth Endpoints

Network firewall or proxy blocking communication with Azure AD OAuth endpoints. Exchange servers must reach login.microsoftonline.com and sts.windows.net on port 443.

Required URLs: login.microsoftonline.com, login.windows.net, sts.windows.net, outlook.office365.com

Diagnostic Steps

Step 1: Check OAuth Configuration

# Check current OAuth/Auth configuration
Write-Host "=== Exchange OAuth Configuration ===" -ForegroundColor Cyan

# Get Auth Config
$authConfig = Get-AuthConfig
$authConfig | Select-Object CurrentCertificateThumbprint, PreviousCertificateThumbprint,
    ServiceName, Realm | Format-List

# Check the OAuth certificate
$certThumbprint = $authConfig.CurrentCertificateThumbprint
$cert = Get-ExchangeCertificate -Thumbprint $certThumbprint

Write-Host "`n=== OAuth Certificate Details ===" -ForegroundColor Yellow
$cert | Select-Object Subject, Thumbprint, NotBefore, NotAfter, Services | Format-List

# Check if certificate is expired
$daysRemaining = ($cert.NotAfter - (Get-Date)).Days
if ($daysRemaining -lt 0) {
    Write-Host "CRITICAL: OAuth certificate EXPIRED $([math]::Abs($daysRemaining)) days ago!" -ForegroundColor Red
} elseif ($daysRemaining -lt 30) {
    Write-Host "WARNING: OAuth certificate expires in $daysRemaining days" -ForegroundColor Yellow
} else {
    Write-Host "OAuth certificate is valid for $daysRemaining more days" -ForegroundColor Green
}

# Check authorization servers
Write-Host "`n=== Authorization Servers ===" -ForegroundColor Yellow
Get-AuthServer | Select-Object Name, Enabled, AuthMetadataUrl | Format-Table -AutoSize

# Check partner applications
Write-Host "`n=== Partner Applications ===" -ForegroundColor Yellow
Get-PartnerApplication | Select-Object Name, Enabled, ApplicationIdentifier | Format-Table -AutoSize

Step 2: Test OAuth Connectivity

# Test OAuth connectivity to Microsoft 365
$userIdentity = "admin@contoso.com"  # On-premises mailbox to test

# Test to Exchange Online
Write-Host "=== Testing OAuth to Exchange Online ===" -ForegroundColor Cyan
$result = Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox $userIdentity -Verbose

$result | Select-Object ResultType, ResultDescription | Format-List

# Test AutoDiscover OAuth
Write-Host "`n=== Testing AutoDiscover OAuth ===" -ForegroundColor Yellow
$autoResult = Test-OAuthConnectivity -Service AutoD -TargetUri https://outlook.office365.com/autodiscover/autodiscover.svc -Mailbox $userIdentity

$autoResult | Select-Object ResultType, ResultDescription | Format-List

# If test fails, show detailed error
if ($result.ResultType -ne "Success") {
    Write-Host "`n=== Error Details ===" -ForegroundColor Red
    $result | Format-List *
}

# Test from specific server
$exchangeServer = $env:COMPUTERNAME
Write-Host "`nTesting from server: $exchangeServer" -ForegroundColor Cyan
Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox $userIdentity -OrganizationDomain "contoso.com"

Step 3: Verify Network Connectivity

# Test connectivity to OAuth/Azure AD endpoints
$endpoints = @(
    @{Name="Azure AD Login"; URL="https://login.microsoftonline.com"},
    @{Name="Azure AD STS"; URL="https://sts.windows.net"},
    @{Name="Exchange Online"; URL="https://outlook.office365.com"},
    @{Name="Graph API"; URL="https://graph.microsoft.com"}
)

Write-Host "=== Testing OAuth Endpoint Connectivity ===" -ForegroundColor Cyan

foreach ($endpoint in $endpoints) {
    try {
        $response = Invoke-WebRequest -Uri $endpoint.URL -Method Head -TimeoutSec 10 -UseBasicParsing
        Write-Host "$($endpoint.Name): OK ($($response.StatusCode))"$response.StatusCode))" -ForegroundColor Green
    } catch {
        Write-Host "$($endpoint.Name): FAILED - $_"$_" -ForegroundColor Red
    }
}

# Test OAuth metadata URL
Write-Host "`n=== Testing OAuth Metadata ===" -ForegroundColor Yellow
$metadataUrl = "https://login.microsoftonline.com/common/federationmetadata/2007-06/federationmetadata.xml"-06/federationmetadata.xml"
try {
    $metadata = Invoke-WebRequest -Uri $metadataUrl -TimeoutSec 10 -UseBasicParsing
    Write-Host "OAuth Metadata accessible: $($metadata.StatusCode)" -ForegroundColor Green
} catch {
    Write-Host "OAuth Metadata FAILED: $_" -ForegroundColor Red
}

# Check proxy configuration
Write-Host "`n=== Proxy Configuration ===" -ForegroundColor Yellow
$proxy = [System.Net.WebProxy]::GetDefaultProxy()
Write-Host "Proxy Address: $($proxy.Address)"
Write-Host "Bypass Proxy on Local: $($proxy.BypassProxyOnLocal)"

# If proxy is used, verify it allows OAuth endpoints
netsh winhttp show proxy

Step 4: Check IntraOrganizationConnector

# Check IntraOrganizationConnector for hybrid
Write-Host "=== IntraOrganization Connector ===" -ForegroundColor Cyan

$ioc = Get-IntraOrganizationConnector

$ioc | Select-Object Name, Enabled, DiscoveryEndpoint, TargetAddressDomains,
    TargetAutodiscoverEpr | Format-List

# Verify the connector is enabled and configured correctly
if ($ioc.Enabled -eq $false) {
    Write-Host "WARNING: IntraOrganizationConnector is disabled!" -ForegroundColor Red
}

# Check IntraOrganizationConfiguration
Write-Host "`n=== IntraOrganization Configuration ===" -ForegroundColor Yellow
Get-IntraOrganizationConfiguration | Format-List

# Test availability service (depends on OAuth)
Write-Host "`n=== Testing Availability Service ===" -ForegroundColor Cyan
$testUser = "clouduser@contoso.onmicrosoft.com"

# This tests OAuth-based free/busy lookup
try {
    Get-AvailabilityService -Identity "$testUser" -ErrorAction Stop | Format-List
} catch {
    Write-Host "Availability test failed: $_" -ForegroundColor Red
}

# Check organization relationship for OAuth
Get-OrganizationRelationship | Where-Object {$_.DomainNames -match "onmicrosoft.com"} |
    Select-Object Name, Enabled, DomainNames, TargetOwaURL, FreeBusyAccessEnabled |
    Format-List

💡

Pro Tip

Use the Microsoft Remote Connectivity Analyzer (testconnectivity.microsoft.com) to test OAuth connectivity from outside your network. The "Exchange Server" tests include OAuth validation and can identify issues invisible from inside.

Quick Fix

Immediate OAuth Issue Resolution

Quick fixes for common OAuth problems:

# Step 1: Refresh OAuth metadata from Azure AD
Write-Host "Refreshing OAuth metadata..." -ForegroundColor Cyan
Set-AuthServer -Identity "AzureAD" -RefreshAuthMetadata

# Step 2: Verify time sync (OAuth is time-sensitive)-sensitive)
w32tm /resync /force
Write-Host "Time synchronized" -ForegroundColor Green

# Step 3: Re-enable auth configuration if disabled-enable auth configuration if disabled
$authConfig = Get-AuthConfig
if (-not $authConfig) {
    Write-Host "Auth configuration missing - run Hybrid Wizard" -ForegroundColor Red
}

# Step 4: Test after refresh
Start-Sleep -Seconds 10
$result = Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox "admin@contoso.com"

if ($result.ResultType -eq "Success") {
    Write-Host "OAuth test PASSED!" -ForegroundColor Green
} else {
    Write-Host "OAuth test FAILED - further investigation needed" -ForegroundColor Red
    Write-Host $result.ResultDescription
}

# Step 5: If certificate expired, create new one
$currentCert = Get-ExchangeCertificate -Thumbprint (Get-AuthConfig).CurrentCertificateThumbprint
if ($currentCert.NotAfter -lt (Get-Date)) {
    Write-Host "OAuth certificate is expired. Creating new certificate..." -ForegroundColor Yellow
    # See detailed solutions for certificate renewal process
}

Note: If quick fixes don't resolve the issue, you'll need to renew the OAuth certificate and republish it to Azure AD using the Hybrid Configuration Wizard.

Detailed Solutions

Solution 1: Renew OAuth Certificate

Replace expired OAuth certificate and publish to Azure AD:

# Step 1: Create new OAuth certificate
Write-Host "Creating new OAuth certificate..." -ForegroundColor Cyan

$newCert = New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "CN=Microsoft Exchange Server Auth Certificate" -DomainName $env:COMPUTERNAME -Services SMTP -FriendlyName "Microsoft Exchange Server Auth Certificate"

Write-Host "New certificate created: $($newCert.Thumbprint)"

# Step 2: Configure Exchange to use new certificate
Write-Host "`nConfiguring Auth to use new certificate..." -ForegroundColor Yellow

# Keep previous cert for rollback
$previousThumb = (Get-AuthConfig).CurrentCertificateThumbprint
Set-AuthConfig -NewCertificateThumbprint $newCert.Thumbprint -NewCertificateEffectiveDate (Get-Date)

# Step 3: Publish certificate to servers
Write-Host "`nPublishing certificate to all servers..." -ForegroundColor Yellow
Set-AuthConfig -PublishCertificate

# Step 4: Clear previous certificate (after verification)
# Set-AuthConfig -ClearPreviousCertificate-ClearPreviousCertificate

# Step 5: Export certificate public key for Azure AD
$certBytes = $newCert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)
$base64Cert = [System.Convert]::ToBase64String($certBytes)
Write-Host "`n=== Certificate for Azure AD ===" -ForegroundColor Cyan
Write-Host "Run Hybrid Configuration Wizard to upload automatically"
Write-Host "Or use this base64 value in Azure AD app registration:"
Write-Host $base64Cert

# Step 6: Verify new certificate
Get-AuthConfig | Select-Object CurrentCertificateThumbprint, PreviousCertificateThumbprint |
    Format-List

Solution 2: Re-run Hybrid Configuration Wizard

The Hybrid Configuration Wizard fixes most OAuth issues automatically:

# The Hybrid Configuration Wizard is the recommended way to fix OAuth

# Step 1: Download latest HCW if needed
# https://aka.ms/HybridWizard

# Step 2: Verify prerequisites
Write-Host "=== Pre-HCW Checks ===" -ForegroundColor Cyan

# Check connectivity
Test-NetConnection -ComputerName outlook.office365.com -Port 443
Test-NetConnection -ComputerName login.microsoftonline.com -Port 443

# Verify admin credentials are ready
# - On-premises Exchange admin
# - Microsoft 365 Global Admin or Exchange Admin

# Step 3: Document current configuration (for rollback)
Write-Host "`nDocumenting current OAuth config..." -ForegroundColor Yellow
Get-AuthConfig | Export-Clixml "C:BackupAuthConfig_$(Get-Date -Format yyyyMMdd).xml"-Format yyyyMMdd).xml"
Get-AuthServer | Export-Clixml "C:BackupAuthServers_$(Get-Date -Format yyyyMMdd).xml"-Format yyyyMMdd).xml"
Get-PartnerApplication | Export-Clixml "C:BackupPartnerApps_$(Get-Date -Format yyyyMMdd).xml"-Format yyyyMMdd).xml"
Get-IntraOrganizationConnector | Export-Clixml "C:BackupIOC_$(Get-Date -Format yyyyMMdd).xml"-Format yyyyMMdd).xml"

Write-Host "`n=== Ready to run HCW ===" -ForegroundColor Green
Write-Host "1. Launch Hybrid Configuration Wizard"
Write-Host "2. Select 'Full Hybrid Configuration'"
Write-Host "3. Choose OAuth/Modern Authentication"
Write-Host "4. Complete the wizard - it will update certificates and configurations"
Write-Host "5. Test OAuth connectivity after completion"

# Step 4: Post-HCW verification-HCW verification
# Run after HCW completes:
# Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox "admin@contoso.com"-Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox "admin@contoso.com"

Solution 3: Configure OAuth Manually

Manual OAuth configuration when HCW is not available:

# Manual OAuth configuration for advanced scenarios

# Step 1: Configure Exchange authorization server for Azure AD
$tenantId = "your-tenant-guid"-guid"  # From Azure AD
$authUrl = "https://login.microsoftonline.com/$tenantId/oauth2/authorize"
$metadataUrl = "https://login.microsoftonline.com/$tenantId/federationmetadata/2007-06/federationmetadata.xml"2007-06/federationmetadata.xml"

# Create or update auth server
if (-not (Get-AuthServer -Identity "AzureAD" -ErrorAction SilentlyContinue)) {
    New-AuthServer -Name "AzureAD" -Type AzureAD -AuthMetadataUrl $metadataUrl
} else {
    Set-AuthServer -Identity "AzureAD" -AuthMetadataUrl $metadataUrl -Enabled $true
}

# Step 2: Configure partner applications
$exchangeOnlineAppId = "00000002-0000-0ff1-ce00-000000000000"-0000-0ff1-ce00-000000000000"  # Exchange Online

if (-not (Get-PartnerApplication -Identity "Exchange Online" -ErrorAction SilentlyContinue)) {
    New-PartnerApplication -Name "Exchange Online" -ApplicationIdentifier $exchangeOnlineAppId -AcceptSecurityIdentifierInformation $true -Enabled $true -LinkedAccount "contoso.onmicrosoft.com"
}

# Step 3: Configure IntraOrganizationConnector
$iocName = "HybridIOC - contoso.onmicrosoft.com"
$targetDomains = @("contoso.onmicrosoft.com", "contoso.mail.onmicrosoft.com")

if (-not (Get-IntraOrganizationConnector -Identity $iocName -ErrorAction SilentlyContinue)) {
    New-IntraOrganizationConnector -Name $iocName -DiscoveryEndpoint "https://outlook.office365.com/autodiscover/autodiscover.svc" -TargetAddressDomains $targetDomains -Enabled $true
}

# Step 4: Configure organization relationship for OAuth
Set-OrganizationRelationship -Identity "O365 to On-premises" -ArchiveAccessEnabled $true -FreeBusyAccessEnabled $true -FreeBusyAccessLevel LimitedDetails -MailTipsAccessEnabled $true

# Step 5: Test configuration
Write-Host "`n=== Testing OAuth Configuration ===" -ForegroundColor Cyan
Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox "admin@contoso.com"

Solution 4: Upload Certificate to Azure AD

Manually upload OAuth certificate to Azure AD using PowerShell:

# Upload Exchange OAuth certificate to Azure AD using Microsoft Graph

# Step 1: Install required module
# Install-Module Microsoft.Graph -Scope CurrentUser-Scope CurrentUser

# Step 2: Connect to Microsoft Graph
Connect-MgGraph -Scopes "Application.ReadWrite.All"

# Step 3: Get the Exchange OAuth certificate
$authCert = Get-ExchangeCertificate -Thumbprint (Get-AuthConfig).CurrentCertificateThumbprint

# Export public key
$certBytes = $authCert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)
$base64Cert = [System.Convert]::ToBase64String($certBytes)

# Step 4: Find the Exchange Online service principal
$exchangeAppId = "00000002-0000-0ff1-ce00-000000000000"-0000-0ff1-ce00-000000000000"
$sp = Get-MgServicePrincipal -Filter "appId eq '$exchangeAppId'"

# Step 5: Add certificate credential
$keyCredential = @{
    Type = "AsymmetricX509Cert"
    Usage = "Verify"
    Key = $certBytes
    DisplayName = "Exchange Server Auth Certificate"
}

Update-MgServicePrincipal -ServicePrincipalId $sp.Id -KeyCredentials @($keyCredential)

Write-Host "Certificate uploaded to Azure AD" -ForegroundColor Green

# Step 6: Alternative - Using Azure AD PowerShell (legacy)
# Connect-AzureAD
# $servicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '00000002-0000-0ff1-ce00-000000000000'"Get-AzureADServicePrincipal -Filter "appId eq '00000002-0000-0ff1-ce00-000000000000'"-0000-0ff1-ce00-000000000000'"
# New-AzureADServicePrincipalKeyCredential -ObjectId $servicePrincipal.ObjectId -Value $base64Cert -Type AsymmetricX509Cert -Usage Verify-ObjectId $servicePrincipal.ObjectId -Value $base64Cert -Type AsymmetricX509Cert -Usage Verify

# Step 7: Verify in Azure AD Portal
Write-Host "`nVerify in Azure AD:" -ForegroundColor Cyan
Write-Host "1. Go to Azure AD > Enterprise Applications"
Write-Host "2. Find 'Office 365 Exchange Online'"365 Exchange Online'"
Write-Host "3. Check Certificates & secrets"
Write-Host "4. Verify new certificate is listed"

🚨

Danger Zone

Do not delete the old OAuth certificate until you've verified the new one works. OAuth tokens signed with the old certificate may still be in use. Keep the previous certificate for at least 24 hours after renewal.

Verification Steps

Verify OAuth Fix

# Comprehensive OAuth verification

Write-Host "=== OAuth Verification ===" -ForegroundColor Cyan

# Step 1: Test OAuth connectivity
$testResult = Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox "admin@contoso.com"

Write-Host "OAuth Test Result: $($testResult.ResultType)" -ForegroundColor $(if ($testResult.ResultType -eq "Success") {"Green"} else {"Red"})

if ($testResult.ResultType -ne "Success") {
    Write-Host "Error: $($testResult.ResultDescription)" -ForegroundColor Red
}

# Step 2: Verify certificate
$authConfig = Get-AuthConfig
$cert = Get-ExchangeCertificate -Thumbprint $authConfig.CurrentCertificateThumbprint
$daysRemaining = ($cert.NotAfter - (Get-Date)).Days

Write-Host "`nOAuth Certificate:" -ForegroundColor Yellow
Write-Host "  Thumbprint: $($cert.Thumbprint)"
Write-Host "  Expires: $($cert.NotAfter) ($daysRemaining days remaining)"$daysRemaining days remaining)"

# Step 3: Test Free/Busy (practical test)
Write-Host "`n=== Testing Free/Busy ===" -ForegroundColor Cyan
$cloudUser = "clouduser@contoso.onmicrosoft.com"
$startDate = (Get-Date).AddDays(1)
$endDate = (Get-Date).AddDays(2)

try {
    # This tests the full OAuth flow for availability
    $availability = Get-MailboxCalendarFolder -Identity "$cloudUser:Calendar" -ErrorAction Stop
    Write-Host "Free/Busy lookup: SUCCESS" -ForegroundColor Green
} catch {
    Write-Host "Free/Busy lookup: FAILED - $_" -ForegroundColor Red
}

# Step 4: Check for recent OAuth errors
$recentErrors = Get-WinEvent -FilterHashtable @{
    LogName = 'Application'
    Id = 1003
    StartTime = (Get-Date).AddHours(-1)
} -ErrorAction SilentlyContinue

if ($recentErrors) {
    Write-Host "`nRecent OAuth errors: $($recentErrors.Count)" -ForegroundColor Yellow
} else {
    Write-Host "`nNo OAuth errors in last hour" -ForegroundColor Green
}

Write-Host "`n=== Verification Complete ===" -ForegroundColor Cyan

✓ Success Indicators

• Test-OAuthConnectivity passes
• Certificate valid > 30 days
• Free/Busy working
• No Event ID 1003 errors

⚠ Warning Signs

• Certificate expires soon
• Intermittent failures
• Some features working
• Metadata refresh issues

✗ Failure Indicators

• OAuth tests fail
• Certificate expired
• All hybrid features broken
• Continuous 1003 events

Prevention Strategies

OAuth Best Practices

✓
Monitor certificate expiry
Alert 90 days before expiration
✓
Test OAuth monthly
Scheduled Test-OAuthConnectivity
✓
Document configuration
Export configs for disaster recovery
✓
Maintain Azure AD access
Ensure admin can update certs

OAuth Certificate Monitoring

# Weekly OAuth certificate check
$authConfig = Get-AuthConfig
$cert = Get-ExchangeCertificate -Thumbprint $authConfig.CurrentCertificateThumbprint

$daysRemaining = ($cert.NotAfter - (Get-Date)).Days
$alertDays = 90

if ($daysRemaining -lt $alertDays) {
    $body = @"
OAuth Certificate Expiration Warning

Certificate: $($cert.Thumbprint)
Expires: $($cert.NotAfter)
Days Remaining: $daysRemaining

Action Required: Renew certificate using Hybrid Configuration Wizard
"$cert.NotAfter)
Days Remaining: $daysRemaining

Action Required: Renew certificate using Hybrid Configuration Wizard
"@

    Send-MailMessage -To "exchange-admins@contoso.com" -From "monitoring@contoso.com" -Subject "OAuth Certificate Expires in $daysRemaining days" -Body $body -SmtpServer "smtp.contoso.com"
}

When to Escalate

Escalate to Hybrid/M365 Specialist When:

→OAuth fails after certificate renewal and HCW
→Complex multi-forest hybrid configuration
→Azure AD application registration issues
→Cross-tenant or B2B OAuth requirements
→OAuth working one direction but not the other

Need Expert Exchange Hybrid Help?

Our Exchange and Microsoft 365 hybrid specialists can diagnose complex OAuth issues, renew certificates, and ensure seamless hybrid functionality between your on-premises and cloud environments.

Get Hybrid Support Call: 1-800-555-1234

15 Minutes average response time for hybrid emergencies

Table of Contents

Error Overview

Event ID 1003: OAuth Token Validation Failed

What This Error Means

Features Using OAuth

OAuth Components

Version Notice

Symptoms & Detection

User-Reported Symptoms

Administrator Detection

Event Log Entry Example

Common Causes

Expired OAuth Certificate

Time Synchronization Issues

Partner Application Misconfiguration

Certificate Not Published to Azure AD

Firewall Blocking OAuth Endpoints

Diagnostic Steps

Step 1: Check OAuth Configuration

Step 2: Test OAuth Connectivity

Step 3: Verify Network Connectivity

Step 4: Check IntraOrganizationConnector

Pro Tip

Quick Fix

Immediate OAuth Issue Resolution

Detailed Solutions

Solution 1: Renew OAuth Certificate

Solution 2: Re-run Hybrid Configuration Wizard

Solution 3: Configure OAuth Manually

Solution 4: Upload Certificate to Azure AD

Danger Zone

Verification Steps

Verify OAuth Fix

✓ Success Indicators

⚠ Warning Signs

✗ Failure Indicators

Prevention Strategies

OAuth Best Practices

OAuth Certificate Monitoring

When to Escalate

Escalate to Hybrid/M365 Specialist When:

Need Expert Exchange Hybrid Help?

Frequently Asked Questions

Related Exchange Server Errors

Event ID 4625: Failed Login Attempts

Event ID 4771: Kerberos Pre-Authentication Failed

Event ID 36874: Certificate Trust Chain Error

Can't Resolve OAUTH_TOKEN_INVALID?

Medha Cloud Exchange Server Team