I have a mailbox in on prem exchange server (which is in hybrid mode) abc@onprem.com and i am trying to access this via graph api (/messages). This works perfectly if i do this in graph explorer, but fails when i do via implementation.

Required application permission is given in Azure app registration portal. Implementation uses grant_type as client_credentials with certificate and this works perfectly for cloud users.

Response of API

{ 'error': {
    'innerError': {
        'date': '2019-02-28T14:17:45', 
        'request-id': '6a85f8c3-4e13-4cf0-84b2-ddc934241afd'
    },
    'message': '', 
    'code': 'UnknownError'
    }}

IIS Logs

1. For call came from graph explorer

2019-02-28 15:02:31 172.31.10.98GET /api/V2.0/Users('abc@onprem.com')/Messages/$count &CorrelationID=;&cafeReqId=bc8e8aef-de46-4c72-bcf4-b4f567bc45dd; 443 S-1-5-21-1392771109-4043059535-3934338706-1147 20.190.145.177Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_14_3)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/71.0.3578.80+Safari/537.36 - 200 0 0 287

2. For call from implemented app

2019-02-28 15:00:05 172.31.10.98GET /api/V2.0/Users('abc@onprem.com')/Messages/$count &CorrelationID=;&cafeReqId=c504b658-b9df-43b5-9dbb-8e83050c3d2f; 443 - 20.190.128.103- - 401 0 0 102

1. What would be reason for this authentication failure , could it be because that token is provided by azure AD which is authenticated against onprem ?

Update

Added some more headers for logging and found that below is the error.

2019-03-04 04:05:13 172.31.10.98 GET /api/V2.0/Users('abc@onprem.com')/Messages &CorrelationID=;&cafeReqId=2823c302-3c84-4847-b586-accced4b6dd5; 443 - 20.190.145.177 PostmanRuntime/7.6.0 - 401 0 0 332 Bearer+eyJ0 blah blah.....blah blah.....hSd mail.onprem.com - - - Bearer+client_id="00000002-0000-0ff1-ce00-000000000000",+token_types="app_asserted_user_v1+service_asserted_app_v1",+authorization_uri="https://login.windows.net/common/oauth2/authorize",+error="invalid_token" 2000001;reason="This+token+profile+'V1S2SAppOnly'+is+not+applicable+for+the+current+protocol.";error_category="invalid_token"

We are using self signed certificate on exchange server , can this lead to this issue ? If so wondering how everything is working from graph explorer.

The issue is actually somewhere else - Exchange doesn't seem to support client_credentials flow. You can, however force it via following PowerShell (make sure to restart your IIS after applying):

$apps = Get-PartnerApplication
# Microsoft Graph is 2nd item in the array, if you are unsure, list the items by calling $apps first
$apps[1] | Set-PartnerApplication -AppOnlyPermissions $apps[1].ActAsPermissions

The full explanation can be found here: https://blog.thenetw.org/2019/05/13/using-client_credentials-with-microsoft-graph-in-hybrid-exchange-setup/