Provisioning Exchange Online for Lync Hybrid Part II

In the previous blog post we started on provisioning Exchange Online mailboxes for a Lync Hybrid environment where some users are hosted on Lync on-premise and some on Lync On-line. Here in part 2 of this series, we complete the integration between Exchange Online and Lync Hybrid so that users can access all the Lync - Exchange integration features. The table below shows the features that are available with Lync Hybrid and Exchange Online:

One of the obvious limitations of having not completed the integration steps is that users who login to Outlook Web App via the Office365 portal will not be able to schedule Lync Online Meetings as shown in the screen capture below:

We may recall that for a typical on-premise deployment of both Lync and Exchange, we had to configure server-to-server authentication between the two servers by running the Configure-EnterprisePartnerApplication.ps1 script on Exchange Server 2013 and the New-CsPartnerApplication cmdlet on Lync Server 2013. The steps for this can be found in this TechNet article. For Lync Hybrid with Exchange Online, we basically need to do the same thing, except that we are configuring server-to-server authentication in a cross premise environment. In fact these steps are also provided in this TechNet article which this blog post is based on, but here I provide more detailed explanation on what is happening plus other vital pieces of information.

To begin, we first need to export the oAuth certificate from the Lync server. For a FE pool this certificate is typically found on the first FE server installed and can be seen by running the Lync Deployment Wizard on that server and running the Certificate Wizard such as  shown below:

We can run the Certificates MMC to export the oAuth certificate as shown below but the critical part is to make sure the certificate is exported as a Base64 encoded .cer format. If we export the certificate using the DER encoded format then the integration will simply not work:

Save the certificate file to the local drive as we will need to use it in a later step. Next, we find out what our TenantID is. To do this, open Windows Powershell on the Lync FE server and start a new-CsOnline Session. Then run the Get-CsTenant cmdlet as shown below:

With the TenantID, we now create a new oAuth Server using the "New-CsOAuthServer" cmdlet with identity "microsoft.sts" using the Lync Management shell as shown below: 

Next, we create a new Lync Partner Application for Exchange Online using the "New-CsPartnerApplication" cmdlet. The identity of this new partner application is "microsoft.exchange" and for Exchange Server the Application Identifier is "00000002-0000-0ff1-ce00-000000000000". We also need to specify the "-UserOAuthServer" flag. After creating the Partner Application we need to run the "Set-CsOAuthConfiguration" cmdlet to use the service name of "00000004-0000-0ff1-ce00-000000000000" which is actually the Application Identifier of Lync Server. These sequence of cmdlets are shown below:

Now we proceed to configure a trust relationship between Lync Server 2013 and the authorization server, and a second trust relationship between Exchange Online and the authorization server. This can only be done by using the Microsoft Online Services cmdlets. If not already done so, download and install the  First, download and install the 64-bit version of the Microsoft Online Services Sign-in Assistant and the 64-bit Windows Azure Active Directory Module on the Lync FE server. Open the Windows Azure AD Module and import the "MSOnlineExtended" module. Then run "Connect-MsolService" to connect to your tenant (it will ask you for your tenant admin credentials). Then run the "Get-MsolServicePrincipal" cmdlet make sure we are connected successfully. The Service Principal information should be returned successfully. These sequence of cmdlets are shown below:

The next step is to import, encode, and assign the oAuth certificate that was exported earlier. To import and encode the certificate, we run the following sequence of cmdlets below:

$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate
$certificate.Import("<complete pathname of oAuthCertificate>")
$binaryValue = $certificate.GetRawCertData()
$credentialsValue = [System.Convert]::ToBase64String($binaryValue)

After the certificate has been imported and encoded, we can then assign the certificate to the Office 365 service principals. To do that, we first create a new Service Principal Credential for Lync using the "New-MsolServicePrincipalCredential" cmdlet with the "AppPrincipalID" for Lync Server which is "00000004-0000-0ff1-ce00-00000000000". To verify this was successful we run the "Get-MsolServicePrincipalCredential" cmdlet to return the results. My example of a completed steps are shown below:

Next, and it is easy to miss this step, we repeat the same cmdlet but this time for Exchange Server which has the "AppPrincipalID" of "00000002-0000-0ff1-ce00-00000000000".

We're now at the home stretch. The last step involves configuring the Exchange Online Service Principal and configure your on-premise version of Lync Server 2013 as an Office 365 service principal. That can be done by carrying out the following cmdlets

Set-MSOLServicePrincipal -AppPrincipalID 00000002-0000-0ff1-ce00-000000000000 -AccountEnabled $true

$lyncSP = Get-MSOLServicePrincipal -AppPrincipalID 00000004-0000-0ff1-ce00-000000000000
$lyncSP.ServicePrincipalNames.Add("00000004-0000-0ff1-ce00-000000000000/<Your On-Prem Lync External Web Services FQDN>")
Set-MSOLServicePrincipal -AppPrincipalID 00000004-0000-0ff1-ce00-000000000000 -ServicePrincipalNames $lyncSP.ServicePrincipalNames

The completed sequence of cmdlets is shown below:

To verify that the cmdlet ran successfully, run "Get-MsolServicePrincipal" with the Lync AppPrincipalID and see that the on-premise external Lync web services FQDN has been added successful as shown below:

Conclusion
If all the above steps are completed successfully, we should now be able to login to the Office365 Portal and open Outlook Web App. Then go to the Calendar and create a new event. This time, the Online Meeting icon should display correctly as shown below, and clicking on that icon will create a new Lync online meeting invite with the online meeting join URL. This should work for both users homed on Lync Online and Lync Onprem.