Share via

Is Exchange Hybrid Modern Authentication (HMA) supported over Linked Mailbox with ActiveSync?

RobsExchange 20 Reputation points
2025-11-17T17:48:43.7+00:00

Dear all;

We have successfully configured HMA for Exchange in a “standard” environment.

With Linked Mailboxes, everything works as expected except ActiveSync.

My question: Is Exchange Hybrid Modern Authentication (HMA) supported for Linked Mailboxes when using ActiveSync?

When we check the synchronization between the Exchange Online shadow mailbox and the on-premises Exchange mailbox, we get the following error:

Get-SyncRequestStatistics -Identity $m.id | select status, message, syncstage | fl

Status : Failed

StatusDetail : TransientFailureContinuousJob

Message : Error: There are no active tokens for this mailbox in the token store.

SyncStage : None

When we run .\Test-HMAEAS.ps1 ******@domain.org -testeas we have the following error :

AADSTS50011: The redirect URI 'urn:ietf:wg:oauth:2.0:oob' specified in the request does not match the redirect URIs configured for the application '27922004-5251-4030-b22d-91ecd9a37ea4'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.

The application '27922004-5251-4030-b22d-91ecd9a37ea4' corresponds to Outlook Mobile, which cannot be edited or updated.

If you have any solutions or recommendations, please do not hesitate to share them.

Thank you.

Exchange | Hybrid management
Exchange | Hybrid management
The administration of a hybrid deployment that connects on-premises Exchange Server with Exchange Online, enabling seamless integration and centralized control.
0 comments
Answer accepted by question author
  1. Vergil-V 7,555 Reputation points Microsoft External Staff Moderator
    2025-11-18T04:20:54.12+00:00

    Hi @Patrick Hesseling 
    Thank you for reaching out to Microsoft Learn Q&A!    

    Based on my research and confirmation from other members, there is currently no official Microsoft statement explicitly confirming that Exchange Hybrid Modern Authentication (HMA) is supported for Linked Mailboxes with ActiveSync. 

    Available documentation only states that HMA supports ActiveSync for traditional mailbox configurations 

    From your description, the two observations you shared provide important clues: 

    • The failure message in Get-SyncRequestStatistics “Error: There are no active tokens for this mailbox in the token store” indicates that the OAuth authentication flow, which is required to generate tokens, did not complete for this mailbox and protocol combination. This suggests that the complex identity resolution needed for linked mailboxes is not compatible with the standard HMA token flow for Exchange ActiveSync. 
    • The error code AADSTS50011 indicates that although Outlook Mobile supports HMA, it does not match the URI urn:ietf:wg:oauth:2.0:oob, which is associated with the legacy authentication flow. In addition, Outlook Mobile and ActiveSync endpoints use fixed redirect URIs that cannot be changed. These factors strongly suggest that HMA is not supported for linked mailboxes with ActiveSync. 

    To address this issue, there are two possible approaches: 

    1. You could temporarily fall back to Basic Authentication or NTLM to check if Outlook Mobile functions correctly. However, I do not recommend this approach because it may introduce security risks and is no longer strongly supported by Microsoft. 
    2. If applicable, consider migrating the linked mailbox to a more traditional mailbox configuration. Hybrid Modern Authentication is designed to work best in a pure hybrid setup, which would provide better compatibility.   

    I hope this helps clarify your situation. Please let me know if you need further assistance or have any updates. 

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.   

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-11-17T17:48:59.5866667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Exchange Hybrid Modern Authentication (HMA) is supported for Linked Mailboxes; however, there are specific considerations when using ActiveSync. The error you are encountering, particularly the message stating "There are no active tokens for this mailbox in the token store," suggests that there may be issues with the token management or configuration related to the Linked Mailboxes.

    In your scenario, the error from the Test-HMAEAS.ps1 script indicates a mismatch in the redirect URI. This could be due to the application registration in Azure not having the correct redirect URI configured. Ensure that the redirect URI specified in your request matches one of the URIs configured for the application in Azure Active Directory.

    To resolve the issues:

    1. Verify that the redirect URI in your application registration matches the one being used in your requests.
    2. Check the token store for any active tokens and ensure that the mailbox is correctly synchronized between Exchange Online and the on-premises Exchange.
    3. If problems persist, consider reviewing the configuration of your Linked Mailboxes and ensure that all prerequisites for HMA are met.

    If you continue to face challenges, further troubleshooting may be required to ensure that both the HMA setup and the Linked Mailbox configurations are correctly implemented.

    0 comments
  2. RobsExchange 20 Reputation points
    2025-11-25T20:36:28.38+00:00

    Hi @Vergil-V

    Thank you for your feedback and for your explanation that seems correct.

    In my case, I cannot use a standard (non-linked) mailbox because we have two Active Directory forests (Accounts and Resources) with more than 10.000 mailboxes.

    Linked mailboxes remain mandatory, even when working with HMA.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.