Updated May 9th: Added Share to Teams. to table
With the emergency to facilitate working from home due to the Corona pandemic, many organizations were faced with a dilemma. When running Exchange 2013 or some even Exchange 2010 on-premises, and a desire to start using Microsoft Teams, organizations were confronted with the following requirements for integrating Microsoft Teams with Exchange on-premises (source):
- Users with mailboxes hosted on-premises must be synchronized to Azure Active Directory.
- Running Exchange 2016 Cumulative Update 3 or later on-premises.
- OAuth needs to be configured (via Hybrid Configuration Wizard, or manual as MVP fellow Jaap blogged about here).
- Recently, an additional requirement was added to explain that for delegates to schedule calendar meetings on behalf of another person, some additional steps are required (steps 2-3 mentioned here).
Now as you might know, Exchange 2010 does not support OAuth authentication. But, by putting Exchange 2016 in front of Exchange 2010, Exchange 2016 can be used for dealing with OAuth authentication, as well as dealing with client traffic as it can down-level proxy to Exchange 2010 for mailboxes hosted on those servers. Looking at these requirements, organizations might conclude that putting Exchange 2016 CU3 in front of their Exchange environment, and configuring OAuth would suffice the requirement to integrate Teams with their Exchange on-premises environment.
Alas, the additional requirement for full Teams integration is that the mailbox server hosting the mailbox should support REST API. Teams leverages Graph REST API calls to interact with mailboxes. In an Hybrid Exchange setup, on-premises mailboxes are identified, and related REST API calls will be directed at the on-premises REST endpoint, landing on your Exchange environment. The requirement for REST API support is something which is not explicitly stated in the Teams integration article, despite my earlier pull request.
It is however stated implicitly in an article on REST support in Hybrid Exchange or the original publication on REST API support in Exchange 2016 CU3 by the Exchange PG, two articles which you might easily have missed or forgotten about. Either way, it states that “All on-premises mailboxes that will use the REST APIs must be located on databases located on Exchange 2016 CU3 servers”.
Thus, with REST API support only being available per Exchange 2016 CU3, Teams will not fully integrate with mailboxes hosted on earlier versions of Exchange. Exchange 2016 can be used to offload OAuth when your mailbox is still on Exchange 2010 (which works fine for Exchange Web Services for Free/Busy, for example), but Exchange 2010 does not support REST API, and thus will never understand those ‘weird’ (proxied) requests landing on /api virtual directory, typical of REST API calls. Consequently, you will see AutodiscoverV2 and REST API calls greeted with a 404:
2020-04-29 20:22:52 fd86:b628:2775:1:9502:cdcc:d4b1:5950 GET /autodiscover/autodiscover.json Email=chefke%40contoso.com&Protocol=REST&RedirectCount=1 443 CONTOSO\EX2$ fd86:b628:2775:1:9f8:2d9:c8a1:3c4a SkypeSpaces/1.0a$*+ 404 0 2 31
Typically, first thing users usually will notice missing is the Calendar integration:
Knowing this, the assumption could be that this combination doesn’t work at all, but as often the truth lies somewhere in the middle. You can use Teams when mailboxes are still hosted on pre-Exchange 2016 CU3, if you can live with the limitations. Below I have included a short overview of these, or other noteworthy items. The information is complementary to the How Exchange and Teams interact article. I hope it may help in discussions on what works and what doesn’t.
Disclaimer: Validated with mailbox hosted on Exchange 2010 with Exchange 2016 in front, OAuth and SkypeOnline AppId configured, and using Outlook 2016 C2R. Information may be subject to change. The list may not be conclusive; if you have any additional observations, please leave them in the comments.
|Create & View Meetings in Teams||No||No Calendar integration as this requires Outlook Calendar REST API. Visual clue is absence of the Calendar button.|
|Modify User Photo in Teams (client)||No||Doesn’t work when mailbox is hosted in Exchange on-premises.|
|Call History||Yes||History propagates to mailboxes hosted in Exchange on-premises in ‘Teams Calls’ folder.|
|Access Outlook Contacts||No||Works only with Exchange Online mailboxes.|
|Voicemail||Yes||May use & receive voice-mail, but can’t play from Teams.|
|Free/Busy status||Yes||Uses EWS.|
|Create & View/Update Teams Meetings from Outlook||Yes||Using default Teams Meeting add-in.|
|Create Teams Meetings from Outlook as Delegate||No||Teams Scheduler uses AutodiscoverV2 to discover delegate EWS endpoint, and fails. Outlook will display “Sorry, but we can’t connect to the server right now. Please try again later.”|
|View/Update Teams Meetings from Outlook as Delegate||Yes||EWS is used to fetch and update the calendar item.|
|MailTips in Teams||No||MailTips like Out of Office are not shown in Teams. MailTips work for Exchange 2016 CU3+.|
|Create & View Channel Meetings in Teams||No||Doesn’t work when mailbox is hosted in Exchange on-premises.|
|Share to Teams||No||Doesn’t work when mailbox is hosted in Exchange on-premises.|
Of course, the better experience is to be had when your mailbox is hosted on Exchange 2016 CU3 or later (including Exchange 2019), or best when you simply host them in Exchange Online. However, given the circumstances and pressure from the organization to use Teams, that route might not be an option for everyone. Organizations may look at substantial investments in time and resources. In those cases, it might be good to know of alternative less preferable scenarios, and more important, any possible limitations you might encounter when taking a shortcut.
Thanks! Great article!👍
Pingback: The Practical 365 Weekly Update: Ep 27 - Microsoft events, Azure AD updates, Teams announcements and more
Pingback: The Practical 365 Weekly Update: Ep 27 – Microsoft events, Azure AD updates, Teams announcements and more – 365 admin service
Pingback: Basic Authentication: End of an Era | EighTwOne (821)