How to properly configure Exchange Server SE for hybrid modern authentication after upgrading from Exchange 2016?

Hi Imran Qureshi

Thank you for reaching out to Microsoft Q&A forum

Based on your description, I understand that you are moving from Exchange Server 2016 to Exchange Server Subscription Edition (SE) and want to enable Hybrid Modern Authentication (HMA). Your goal is to configure OAuth with Azure AD using Set-AuthConfig, publish new metadata, and validate OAuth settings so that Outlook clients, EWS, and ActiveSync authenticate through modern authentication without breaking hybrid functionality.

In short, the safest way to enable and validate HMA on SE is to focus on the EvoSTS (Azure AD) auth server, service principal name (SPN) registration in Microsoft Entra ID, virtual directory auth settings, and OAuth certificate health, not legacy ACS metadata. So, you can follow the steps below to set it up and read the document for more insight.

Initially, you have to Ensure all Exchange SE front‑end servers are on the latest CU/HU, MAPI/HTTP is enabled, and there’s no SSL offload (SSL bridging supported) and check the Exchange Auth certificate status:

Get-AuthConfig | Format-List CurrentCertificateThumbprint,NextCertificateThumbprint
(Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | fl Subject,Thumbprint,NotAfter

If rotation is needed, use Set‑AuthConfig -PublishCertificate (or new thumbprint/effective date options) per the AuthConfig docs, for more information Maintain the Exchange Server OAuth certificate

Next one, Run Hybrid Configuration Wizard (HCW) (latest) to ensure EvoSTS AuthServer exists and is enabled by verify/enable EvoSTS as the default authorization endpoint and turn on modern auth for clients as states in Set-AuthServer

Get-AuthServer | ft Name,Enabled
Set-AuthServer -Identity "EvoSTS" -IsDefaultAuthorizationEndpoint $true
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

Next step, you have to enable OAuth on virtual directories & register SPNs by

• Enable OAuth on all relevant vDirs:

Get-MapiVirtualDirectory        | Set-MapiVirtualDirectory        -OAuthAuthentication $true
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -OAuthAuthentication $true
Get-OABVirtualDirectory         | Set-OABVirtualDirectory         -OAuthAuthentication $true

• Add your on‑prem HTTPS namespaces and confirm the SPNs were added:

Get-MgServicePrincipal -Filter "AppId eq 'string'" | 

For more information: How to configure Exchange Server on-premises to use Hybrid Modern Authentication

In the end, you can validate OAuth in both directions with EWS:

# From on-prem to EXO:
Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/EWS -Mailbox "******@contoso.com"
# From EXO to on-prem:

Verify hybrid Free/Busy:

Get-OrganizationRelationship | Test-OrganizationRelationship -UserIdentity ******@contoso.com

On clients, confirm AuthN = Bearer (Outlook Connection Status). Address test failures by checking SPNs, identity sync, or proxy settings (older Test‑OAuthConnectivity versions didn’t honor InternetWebProxy

Link reference: https://v4.hkg1.meaqua.org/en-us/powershell/module/exchangepowershell/test-oauthconnectivity?view=exchange-ps

Hope my answer will help you, for any further concern, kindly let me know in the comment section.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".     

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.