Update AuthServerCheck, EWSVirtualDirectoryCheckOAuth, CheckIfExchang…#2533
Update AuthServerCheck, EWSVirtualDirectoryCheckOAuth, CheckIfExchang…#2533MarcoLFrancisco wants to merge 3 commits into
Conversation
…eServer, CheckParameters, hostOutputIntraOrgConEnabled, and HTML configuration rendering to align on-prem hybrid free/busy OAuth validation with modern EvoSTS-based auth and fix related output issues
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Updates FreeBusyChecker’s on-prem hybrid Free/Busy OAuth validation to align with modern EvoSTS-based hybrid authentication, and fixes related output/rendering behavior.
Changes:
- Switch AuthServer validation from legacy ACS patterns to EvoSTS (Realm/IssuerIdentifier/TokenIssuingEndpoint/AuthMetadataUrl).
- Adjust HTML/host output paths for OAuth vs DAuth and improve configuration section markup.
- Refactor Exchange server detection and EWS virtual directory data retrieval used by OAuth checks.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| Diagnostics/FreeBusyChecker/Functions/htmlContent.ps1 | Fixes HTML heading markup for the configuration section. |
| Diagnostics/FreeBusyChecker/Functions/hostOutput.ps1 | Corrects which HTML lookup output is used when running OAuth-only. |
| Diagnostics/FreeBusyChecker/Functions/OnPremOAuthFunctions.ps1 | Updates AuthServer checks to EvoSTS and ensures EWS info fetch occurs before OAuth validation. |
| Diagnostics/FreeBusyChecker/Functions/CommonFunctions.ps1 | Refactors Exchange server validation and parameter checks; adjusts EWS info caching behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -24,12 +24,14 @@ function FetchEWSInformation { | |||
| if (-not $Script:WebServicesVirtualDirectory -or -not $Script:WebServicesVirtualDirectoryOAuth) { | |||
| $Script:WebServicesVirtualDirectory = Get-WebServicesVirtualDirectory -Server $Script:Server | Select-Object Identity, Name, ExchangeVersion, *Authentication*, *url -ErrorAction SilentlyContinue | |||
| $Script:WebServicesVirtualDirectoryOAuth = $Script:WebServicesVirtualDirectory | |||
There was a problem hiding this comment.
FetchEWSInformation no longer assigns $Script:ExchangeOnPremEWS from the retrieved virtual directory ExternalUrl, but CheckParameters now requires $Script:ExchangeOnPremEWS to be set. This can lead to “missing parameter” behavior even when EWS data was successfully fetched from the server. If the intended behavior is still to auto-populate the on-prem EWS URL when available, set $Script:ExchangeOnPremEWS here (ideally only if it isn’t already set and ExternalUrl is present), or otherwise update the parameter-validation flow to match the new requirement.
| $Script:WebServicesVirtualDirectoryOAuth = $Script:WebServicesVirtualDirectory | |
| $Script:WebServicesVirtualDirectoryOAuth = $Script:WebServicesVirtualDirectory | |
| if ([string]::IsNullOrWhiteSpace($Script:ExchangeOnPremEWS)) { | |
| $externalUrl = $Script:WebServicesVirtualDirectory | | |
| Where-Object { $null -ne $_.ExternalUrl } | | |
| Select-Object -First 1 -ExpandProperty ExternalUrl | |
| if ($null -ne $externalUrl) { | |
| $Script:ExchangeOnPremEWS = $externalUrl.ToString() | |
| } | |
| } |
There was a problem hiding this comment.
Why are we now deciding only for this one to do a $null check before setting it? This does add up why we are needing to check for this.
Suggestion accepted Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
| Write-Host " Testing Connection to Exchange Online with EO Prefix." | ||
| try { | ||
| $CheckExoMailbox = Get-EOMailbox $Script:UserOnline -ErrorAction Stop | ||
| $CheckExoMailbox = get-EOMailbox $Script:UserOnline -ErrorAction Stop |
There was a problem hiding this comment.
Why was this changed to a lower case? We shouldn't be doing that.
| param ( | ||
| [string]$Server | ||
| ) | ||
| $exchangeServer = Get-ExchangeServer $Server -ErrorAction SilentlyContinue | ||
| if (!$exchangeServer) { |
| $MissingParameters += "Exchange On Premises Local Domain. Example: . 'C:\scripts\FreeBusyChecker\FreeBusyChecker.ps1' -OnPremisesUser John@Contoso.com" | ||
| } | ||
| if ([string]::IsNullOrWhiteSpace($exchangeOnPremDomain)) { | ||
| if ([string]::IsNullOrWhiteSpace($Script:ExchangeOnPremDomain)) { |
There was a problem hiding this comment.
Why was this only changed here vs properly fixing things at all the locations? There are a lot of mixed results here for using $ExchangeOnPremDomain and $Script:ExchangeOnPremDomain
There was a problem hiding this comment.
Currently, I notice that many of our customers are already using this script before opening a case. Just today, I archived a case that was 142 days old when it came to me, and that script found the root cause in 1 minute. The customer had created both the Federation Certificate and Auth certificate in the same way one creates a self-signed certificate, therefore with incorrect namespaces. This was very hard to spot, as only the namespace on the certificate was incorrect.
As the script currently provides the wrong verdict for the Auth Server check, my suggestion is that we drop the other changes that require some time to implement and proceed with the Auth Server one, either in this PR or a new PR, and I address those needs separately.
| $MissingParameters += "Exchange On Premises Domain. Example: -OnPremLocalDomain Contoso.local" | ||
| } | ||
| if ([string]::IsNullOrWhiteSpace($exchangeOnPremEWS)) { | ||
| if ([string]::IsNullOrWhiteSpace($Script:ExchangeOnPremEWS)) { |
| @@ -24,12 +24,14 @@ function FetchEWSInformation { | |||
| if (-not $Script:WebServicesVirtualDirectory -or -not $Script:WebServicesVirtualDirectoryOAuth) { | |||
| $Script:WebServicesVirtualDirectory = Get-WebServicesVirtualDirectory -Server $Script:Server | Select-Object Identity, Name, ExchangeVersion, *Authentication*, *url -ErrorAction SilentlyContinue | |||
| $Script:WebServicesVirtualDirectoryOAuth = $Script:WebServicesVirtualDirectory | |||
There was a problem hiding this comment.
Why are we now deciding only for this one to do a $null check before setting it? This does add up why we are needing to check for this.
Suggestion accepted Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Issue:
Update on-prem Hybrid Free/Busy OAuth validation to match modern hybrid authentication behavior.
Reason:
The previous validation logic was checking older ACS-based values and had a few related output/parameter issues that did not align with current EvoSTS-based hybrid OAuth configuration.
Fix:
Updated AuthServerCheck, EWSVirtualDirectoryCheckOAuth, CheckIfExchangeServer, CheckParameters, hostOutputIntraOrgConEnabled, and related HTML output to validate the expected modern on-prem hybrid OAuth configuration and correct output behavior.
Validation:
Reviewed the updated output logic and rebuilt this change as a clean PR from current upstream/main with only the intended FreeBusyChecker function changes.