Configure OAuth between Skype for Business Server and Exchange Online

This PowerShell script (Author: Aaron Marks) configures OAuth between Skype for Business Server and Exchange Online.

Requirements:

• Must be ran from Skype4B Server
• Run from Elevated AAD PowerShell
• MS Online Service Sign-in Assistant RTW: http://go.microsoft.com/fwlink/?LinkID=286152
• AAD Powershell: http://go.microsoft.com/fwlink/p/?linkid=236297

<#

    .SYNOPSIS

    Configure-OAuth_ExOn_SfB_Server

    

    Aaron Marks

    

    THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE  

    RISK OF USE OR RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE USER.

    

    Version 2.0, 5/26/2016

    

    .DESCRIPTION

    Configure Oauth between Exchange Online and Skype for Business Server.

    

    .LINK

    http://www.turnpointtech.com

    

    .NOTES

    

    Requirements:

        - Must be ran from Skype4B Server

        - Run from Elevated AAD PowerShell

        - MS Online Service Sign-in Assistant RTW:  

            http://go.microsoft.com/fwlink/?LinkID=286152  

        - AAD PowerShell:  

            http://go.microsoft.com/fwlink/p/?linkid=236297  

    

    Special thanks to Christian Burke for providing the  

    commands used to assemble this script: http://goo.gl/25ZZfK

    

    And, Thanks to @PatRichard for writing the part to export the OAuth certificate.

    Revision History

    --------------------------------------------------------------------------------

    1.0     Initial release

    2.0     Auto-export of OAuth Cert

    

    

    .PARAMETER WebExt

    Web External url from Skype for Business Front End Pool.

    

    .EXAMPLE

    .\Configure-OAuth_ExOn_SfB_Server.ps1 -WebExt "webext.contoso.com"  

    

#>

[CmdletBinding(DefaultParameterSetName="Default")]

Param(

    [Parameter(Mandatory=$True, ParameterSetName="Default")]

        [string]$WebExt

) #Param

Process {

    

    $CertPath = "C:\OAuth-SfB-EXO.cer"

    $Thumbprint = (Get-CsCertificate -Type OAuthTokenIssuer).Thumbprint

    $OAuthCert = Get-ChildItem -Path Cert:\LocalMachine\My\$Thumbprint

    Export-Certificate -Cert $OAuthCert -FilePath $CertPath -Type CERT

    

    # Script

    Import-Module LyncOnlineConnector

    # Logging into SfB Online

    Write-Output "Logging into SfB Online"

    $cred = Get-Credential

    $CSSession = New-CsOnlineSession -Credential $cred  

    Import-PSSession $CSSession -AllowClobber  

    # Clean up Old Entries if necessary

    Write-Output "Clean up Old Entries if necessary"

    If ( (Get-CsOauthServer).Identity -match "microsoft.sts") {

        Write-Output "Removing existing microsoft.sts OauthServer"

        Remove-CsOauthServer -Identity microsoft.sts

    }

    If ( (Get-CsPartnerApplication).Identity -match "microsoft.exchange") {

        Write-Output "Removing existing microsoft.exchange PartnerApplication"

        Remove-CsPartnerApplication -Identity microsoft.exchange

    }

    # Create New OAuth Server

    Write-Output "Create New OAuth Server"

    $TenantId = (Get-CsTenant).TenantId

    $metadataurl = "https://accounts.accesscontrol.windows.net/" `

    + "$TenantId" + "/metadata/json/1"

    New-CsOAuthServer -Identity microsoft.sts -metadataurl $metadataurl

    # Create New Partner Application

    Write-Output "Create New Partner Application"

    New-CsPartnerApplication -Identity microsoft.exchange `

    -ApplicationIdentifier 00000002-0000-0ff1-ce00-000000000000 `

    -ApplicationTrustLevel Full -UseOAuthServer

    #Set-CsOAuthConfiguration -ServiceName 00000004-0000-0ff1-ce00-000000000000

    # Elevate the SfB PowerShell  

    Write-Output "Elevate the SfB PowerShell"

    Import-Module MSOnlineExtended

    Connect-MsolService -Credential $cred

    Get-MsolServicePrincipal

    # Upload your OAuth Certificate

    Write-Output "Upload your OAuth Certificate"

    $certificate =  

    New-Object System.Security.Cryptography.X509Certificates.X509Certificate

    $certificate.Import("$CertPath")  

    $binaryValue = $certificate.GetRawCertData()  

    $credentialsValue = [System.Convert]::ToBase64String($binaryValue)  

    New-MsolServicePrincipalCredential `

    -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 `

    -Type Asymmetric -Usage Verify -Value $credentialsValue  

    Set-MSOLServicePrincipal -AppPrincipalID `

    00000002-0000-0ff1-ce00-000000000000 -AccountEnabled $true  

    # Add Your Lync External Web Services Name

    Write-Output "Add Your Lync External Web Services Name"

    $lyncSP = Get-MSOLServicePrincipal -AppPrincipalID `

    00000004-0000-0ff1-ce00-000000000000  

    $WebExtSpn = "00000004-0000-0ff1-ce00-000000000000/" + "$WebExt"

    $lyncSP.ServicePrincipalNames.Add("$WebExtSpn")  

    Set-MSOLServicePrincipal -AppPrincipalID `

    00000004-0000-0ff1-ce00-000000000000 `

    -ServicePrincipalNames $lyncSP.ServicePrincipalNames  

    

    Remove-PSSession $CSSession

    

} #Process

References:

• Online Meeting Icon Missing from OWA in Exchange Online
• TechNet script gallery: Configure OAuth between Skype for Business Server and Exchange Online