Using OAuth authentication to support Archiving in an Exchange hybrid deployment

Applies to: Exchange Server 2013

If you're in an Exchange 2013 hybrid deployment and use Exchange Online Archiving (EOA) for Exchange Server, you must configure OAuth authentication between your on-premises and Exchange Online organizations after upgrading to Exchange 2013 Cumulative Update 5 (CU5). EOA allows you to have a cloud-based archive for your users with on-premises mailboxes. In this scenario, the Messaging Records Management (MRM) assistant on your on-premises mailbox server applies archiving policies and moves messages automatically from a user's mailbox to their cloud-based archive. In Exchange 2013 CU5, it uses OAuth authentication.

For step-by-step instructions for configuring OAuth authentication, see Configure OAuth authentication between Exchange and Exchange Online organizations.

What is OAuth authentication?

OAuth authentication is a server-to-server authentication protocol that allows applications to authenticate to each other. With OAuth authentication, user credentials and passwords are not passed from one computer to another. Instead, authentication and authorization is based on the exchange of security tokens, which grant access to a specific set of resources for a specific amount of time.

OAuth authentication typically involves three parties: a single authorization server and the two realms that need to communicate with one another. Security tokens are issued by the authorization server (also known as a security token server) to the two realms that need to communicate; these tokens verify that communications originating from one realm should be trusted by the other realm. When using OAuth authentication between an on-premises Exchange organization and Exchange Online, the function of the authorization server is provided by Azure Active Directory Access Control Services (ACS) in your Microsoft 365 or Office 365 organization. For example, during a cross-premises eDiscovery search, Azure Active Directory ACS issues tokens that verify that an administrator or compliance officer from the Exchange on-premises organization is able to access mailboxes in the Exchange Online organization, and vice-versa.

Configuring OAuth authentication to support Archiving

As previously stated, see Configure OAuth authentication between Exchange and Exchange Online organizations for instructions to configure OAuth authentication to support Archiving in an Exchange hybrid deployment.

If OAuth isn't configured for your Exchange hybrid deployment, you can't use archive policies to automatically move items from a user's primary mailbox in your on-premises organization to the user's cloud-based archive in Exchange Online.

More information