HCW Organization Configuration Transfer breaks Outlook connectivity to Office 365

5/16/2019 Update -- The latest version of the HCW (version 16.0.3054.9 ) no longer syncs the OAuth2ClientProfileEnabled property, which caused the issue. Thanks to the Exchange product group for fixing this so quickly.

Recent versions of the Office 365 Hybrid Configuration Wizard (HCW) offer a feature called Organization Configuration Transfer, which is documented here. Organization Configuration Transfer (OCT) copies the organization policy objects from on-premises to Exchange Online (EXO), and updates values in EXO with the values from on-premises.

OCT is an option when running the HCW, not a requirement. It is designed to reduce the number of policies and objects that need to be configured in EXO by copying them from on-prem. Admins can also occasionally re-transfer settings using OCT in order to update EXO with new or updated on-prem policies and configurations.

OCT was updated to OCT-V2 on November 2018 to include several additional objects that were not previously synced, including the Organization Config object. This poses a problem if your on-prem environment is not configured for hybrid modern authentication because it will turn off access to EXO from Outlook and Skype for Business. This happens when the OCT overwrites the OAuth2ClientProfileEnabled property using Set-OrganizationConfiguration. On-prem environments without hybrid modern auth have this property set to false, where online it is always true (unless you want to deny modern auth).

Review the objects that OCT will transfer

The OCT will update the OAuth2ClientProfileEnabled property to FALSE

Turning the OAuth2ClientProfileEnabled property to false disables modern authentication for clients like Outlook and Skype for Business, and users will be continuously prompted for authentication and will be unable to connect to Exchange Online. Hilarity does not ensue.

This happened in my own environment. I discovered using Admin Audit Logging that the OAuth2ClientProfileEnabled property in the Organization Config was set to false the Friday before the problem started on Sunday morning. That date/time corresponded to the HCW logs. I had re-run the HCW and the Org Transfer Friday afternoon, which set the property to false.

Fiddler showed the same error described in the Auth_URI Failures section of the HMA article (https://blogs.technet.microsoft.com/exchange/2017/12/06/announcing-hybrid-modern-authentication-for-exchange-on-premises/):

HTTP/1.1 401 Unauthorized

Cache-Control: private​

Server: Microsoft-IIS/10.0​

request-id: 3e5472dd-320e-4378-85e1-e22f00b53d38​

X-CalculatedBETarget: dm6pr04mb6185.namprd04.prod.outlook.com​

X-RUM-Validated: 1​

X-UserType: Business​

x-ms-diagnostics: 4000000;reason="Flighting is not enabled for domain 'cloud@expta.com'.";error_category="oauth_not_available"​

X-DiagInfo: DM6PR04MB6185​

X-BEServer: DM6PR04MB6185​

X-AspNet-Version: 4.0.30319​

Set-Cookie: X-BackEndCookie2=cloud@expta.com=u56Lnp2ejJqByMzPms7OyJ3Sz5rNntLLnczJ0sbMz8rSm5qdm8vOy8uezcmegcfMycrGmc3L0sjMx5vSy8/JnNLHnpzM0prMypnMzcabz5vPxoHNz87G0s/K0s3Gq83NxcrIxcvMgZGeko+Nm8/L0Y+NkJvRkIqLk5CQlNGckJKBzw==; expires=Wed, 29-May-2019 22:57:43 GMT; path=/autodiscover; secure; HttpOnly​

Set-Cookie: X-BackEndCookie=cloud@expta.com=u56Lnp2ejJqByMzPms7OyJ3Sz5rNntLLnczJ0sbMz8rSm5qdm8vOy8uezcmegcfMycrGmc3L0sjMx5vSy8/JnNLHnpzM0prMypnMzcabz5vPxoHNz87G0s/K0s3Gq83NxcrIxcvMgZGeko+Nm8/L0Y+NkJvRkIqLk5CQlNGckJKBzw==; expires=Wed, 29-May-2019 22:57:43 GMT; path=/autodiscover; secure; HttpOnly​

X-Powered-By: ASP.NET​

X-FEServer: BYAPR02CA0010​

WWW-Authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000@*", token_types="app_asserted_user_v1 service_asserted_app_v1", authorization_uri="https://login.windows.net/common/oauth2/authorize", error="invalid_token",Basic Realm=""​

Date: Mon, 29 Apr 2019 22:57:42 GMT​

Content-Length: 0​

Tenants who have modern authentication enabled in EXO or any tenant created after August 2018 would normally have this enabled.

To easily check if this is affecting your Exchange Online environment run the following cmdlet in EXO PowerShell:

(Get-OrganizationConfig).OAuth2ClientProfileEnabled

Tenants who have modern authentication enabled in EXO or any tenant created after August 2018 would normally have this value set to True. If it isn't, run the following cmdlet:

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

Note that it takes up to 30 minutes before the change becomes effective.

I've been working with the product team to remove this property transfer from OCT, since no one can think for a good reason for this property to sync in the first place. In the meantime, if you use OCT in the HCW you should remove the checkbox for Organization Config on the right-hand side.