Skip to content

Update AuthServerCheck, EWSVirtualDirectoryCheckOAuth, CheckIfExchang… #2533

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MarcoLFrancisco wants to merge 3 commits into
base: main
Choose a base branch
from
+33 −16
Open

Update AuthServerCheck, EWSVirtualDirectoryCheckOAuth, CheckIfExchang… #2533

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a7d9c0a
Update AuthServerCheck, EWSVirtualDirectoryCheckOAuth, CheckIfExchang…
MarcoLFrancisco Apr 30, 2026
666e9f2
Update Diagnostics/FreeBusyChecker/Functions/CommonFunctions.ps1
MarcoLFrancisco Apr 30, 2026
619cc33
Apply suggestion from @Copilot
MarcoLFrancisco May 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 18 additions & 6 deletions Diagnostics/FreeBusyChecker/Functions/CommonFunctions.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ function Test-ExchangeOnlineConnection {
Write-Host -ForegroundColor Green " Checking Exchange Online Configuration"
Write-Host " Testing Connection to Exchange Online with EO Prefix."
try {
$CheckExoMailbox = Get-EOMailbox $Script:UserOnline -ErrorAction Stop
$CheckExoMailbox = get-EOMailbox $Script:UserOnline -ErrorAction Stop
Copy link
Copy Markdown
Member

@dpaulson45 dpaulson45 May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why was this changed to a lower case? We shouldn't be doing that.

if ($null -ne $CheckExoMailbox) {
return $true
} else {
Expand All @@ -24,12 +24,24 @@ function FetchEWSInformation {
if (-not $Script:WebServicesVirtualDirectory -or -not $Script:WebServicesVirtualDirectoryOAuth) {
$Script:WebServicesVirtualDirectory = Get-WebServicesVirtualDirectory -Server $Script:Server | Select-Object Identity, Name, ExchangeVersion, *Authentication*, *url -ErrorAction SilentlyContinue
$Script:WebServicesVirtualDirectoryOAuth = $Script:WebServicesVirtualDirectory
Copy link

Copilot AI Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FetchEWSInformation no longer assigns $Script:ExchangeOnPremEWS from the retrieved virtual directory ExternalUrl, but CheckParameters now requires $Script:ExchangeOnPremEWS to be set. This can lead to “missing parameter” behavior even when EWS data was successfully fetched from the server. If the intended behavior is still to auto-populate the on-prem EWS URL when available, set $Script:ExchangeOnPremEWS here (ideally only if it isn’t already set and ExternalUrl is present), or otherwise update the parameter-validation flow to match the new requirement.

Suggested change
$Script:WebServicesVirtualDirectoryOAuth = $Script:WebServicesVirtualDirectory
$Script:WebServicesVirtualDirectoryOAuth = $Script:WebServicesVirtualDirectory
if ([string]::IsNullOrWhiteSpace($Script:ExchangeOnPremEWS)) {
$externalUrl = $Script:WebServicesVirtualDirectory |
Where-Object { $null -ne $_.ExternalUrl } |
Select-Object -First 1 -ExpandProperty ExternalUrl
if ($null -ne $externalUrl) {
$Script:ExchangeOnPremEWS = $externalUrl.ToString()
}
}

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Member

@dpaulson45 dpaulson45 May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are we now deciding only for this one to do a $null check before setting it? This does add up why we are needing to check for this.

$Script:ExchangeOnPremEWS = ($Script:WebServicesVirtualDirectory.externalURL.AbsoluteUri)

if ([string]::IsNullOrWhiteSpace($Script:ExchangeOnPremEWS)) {
$externalUrl = $Script:WebServicesVirtualDirectory |
Where-Object { $null -ne $_.ExternalUrl } |
Select-Object -First 1 -ExpandProperty ExternalUrl

if ($null -ne $externalUrl) {
$Script:ExchangeOnPremEWS = $externalUrl.ToString()
}
}
}
}
function CheckIfExchangeServer {
$exchangeShell = Confirm-ExchangeShell
if (-not($exchangeShell.ShellLoaded)) {
param (
[string]$Server
)
$exchangeServer = Get-ExchangeServer $Server -ErrorAction SilentlyContinue
if (!$exchangeServer) {
Comment on lines +40 to +44
Copy link
Copy Markdown
Member

@dpaulson45 dpaulson45 May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why was a change made here?

Write-Host "$Server is not an Exchange Server. This script should be run in Exchange Server Management Shell"
exit
Comment thread
MarcoLFrancisco marked this conversation as resolved.
}
Expand All @@ -42,10 +54,10 @@ function CheckParameters {
if ([string]::IsNullOrWhiteSpace($Script:ExchangeOnPremLocalDomain)) {
$MissingParameters += "Exchange On Premises Local Domain. Example: . 'C:\scripts\FreeBusyChecker\FreeBusyChecker.ps1' -OnPremisesUser John@Contoso.com"
}
if ([string]::IsNullOrWhiteSpace($exchangeOnPremDomain)) {
if ([string]::IsNullOrWhiteSpace($Script:ExchangeOnPremDomain)) {
Copy link
Copy Markdown
Member

@dpaulson45 dpaulson45 May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why was this only changed here vs properly fixing things at all the locations? There are a lot of mixed results here for using $ExchangeOnPremDomain and $Script:ExchangeOnPremDomain

Copy link
Copy Markdown
Contributor Author

@MarcoLFrancisco MarcoLFrancisco May 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently, I notice that many of our customers are already using this script before opening a case. Just today, I archived a case that was 142 days old when it came to me, and that script found the root cause in 1 minute. The customer had created both the Federation Certificate and Auth certificate in the same way one creates a self-signed certificate, therefore with incorrect namespaces. This was very hard to spot, as only the namespace on the certificate was incorrect.

As the script currently provides the wrong verdict for the Auth Server check, my suggestion is that we drop the other changes that require some time to implement and proceed with the Auth Server one, either in this PR or a new PR, and I address those needs separately.

$MissingParameters += "Exchange On Premises Domain. Example: -OnPremLocalDomain Contoso.local"
}
if ([string]::IsNullOrWhiteSpace($exchangeOnPremEWS)) {
if ([string]::IsNullOrWhiteSpace($Script:ExchangeOnPremEWS)) {
Copy link
Copy Markdown
Member

@dpaulson45 dpaulson45 May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here

$MissingParameters += "Exchange On Premises EWS Virtual Directory External URL. Example: 'C:\FreeBusyChecker.ps1' -OnPremEWSUrl https://mail.contoso.com/EWS/Exchange.asmx"
}
if ([string]::IsNullOrWhiteSpace($Script:UserOnPrem)) {
Expand Down
21 changes: 13 additions & 8 deletions Diagnostics/FreeBusyChecker/Functions/OnPremOAuthFunctions.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,9 +49,12 @@ function IntraOrgConCheck {
}
function AuthServerCheck {
#PrintDynamicWidthLine
Write-Host -ForegroundColor Green " Get-AuthServer | Select Name,IssuerIdentifier,TokenIssuingEndpoint,AuthMetadataUrl,Enabled"
Write-Host -ForegroundColor Green " Get-AuthServer | Select Name, Realm, IssuerIdentifier, TokenIssuingEndpoint, AuthMetadataUrl, Enabled"
PrintDynamicWidthLine
$AuthServer = Get-AuthServer | Where-Object { $_.Name -like "ACS*" } | Select-Object Name, IssuerIdentifier, TokenIssuingEndpoint, AuthMetadataUrl, Enabled
$AuthServer = Get-AuthServer |
Where-Object { $_.Name -like "EvoSts*" } |
Sort-Object Name |
Select-Object -First 1 Name, Realm, IssuerIdentifier, TokenIssuingEndpoint, AuthMetadataUrl, Enabled
$AuthServer
$Script:tDAuthServerIssuerIdentifier = $AuthServer.IssuerIdentifier
$Script:tDAuthServerTokenIssuingEndpoint = $AuthServer.TokenIssuingEndpoint
Expand All @@ -61,30 +64,30 @@ function AuthServerCheck {
Write-Host -ForegroundColor Green " Summary - Auth Server"
PrintDynamicWidthLine
Write-Host -ForegroundColor White " IssuerIdentifier: "
if ($AuthServer.IssuerIdentifier -like "00000001-0000-0000-c000-000000000000" ) {
if ($AuthServer.IssuerIdentifier -like "https://sts.windows.net/$($AuthServer.Realm)/" ) {
Comment thread
MarcoLFrancisco marked this conversation as resolved.
Write-Host -ForegroundColor Green " " $AuthServer.IssuerIdentifier
$Script:tDAuthServerIssuerIdentifierColor = "green"
} else {
Write-Host -ForegroundColor Red " IssuerIdentifier appears not to be correct."
Write-Host -ForegroundColor White " Should be 00000001-0000-0000-c000-000000000000"
Write-Host -ForegroundColor White " Should be https://sts.windows.net/<Cloud Tenant ID>/"
$Script:tDAuthServerIssuerIdentifierColor = "red"
}
Write-Host -ForegroundColor White " TokenIssuingEndpoint: "
if ($AuthServer.TokenIssuingEndpoint -like "https://accounts.accesscontrol.windows.net/*" -and $AuthServer.TokenIssuingEndpoint -like "*/tokens/OAuth/2" ) {
if ($AuthServer.TokenIssuingEndpoint -like "https://login.windows.net/common/oauth2/token*" ) {
Write-Host -ForegroundColor Green " " $AuthServer.TokenIssuingEndpoint
$Script:tDAuthServerTokenIssuingEndpointColor = "green"
} else {
Write-Host -ForegroundColor Red " TokenIssuingEndpoint appears not to be correct."
Write-Host -ForegroundColor White " Should be https://accounts.accesscontrol.windows.net/<Cloud Tenant ID>/tokens/OAuth/2"
Write-Host -ForegroundColor White " Should be https://login.windows.net/common/oauth2/token"
$Script:tDAuthServerTokenIssuingEndpointColor = "red"
}
Write-Host -ForegroundColor White " AuthMetadataUrl: "
if ($AuthServer.AuthMetadataUrl -like "https://accounts.accesscontrol.windows.net/*" -and $AuthServer.TokenIssuingEndpoint -like "*/tokens/OAuth/2" ) {
if ($AuthServer.AuthMetadataUrl -like "https://login.windows.net/*/federationmetadata/2007-06/federationmetadata.xml" ) {
Write-Host -ForegroundColor Green " " $AuthServer.AuthMetadataUrl
$Script:tDAuthServerAuthMetadataUrlColor = "green"
} else {
Write-Host -ForegroundColor Red " AuthMetadataUrl appears not to be correct."
Write-Host -ForegroundColor White " Should be https://accounts.accesscontrol.windows.net/<Cloud Tenant ID>/Metadata/json/1"
Write-Host -ForegroundColor White " Should be https://login.windows.net/<Initial Tenant Domain>/FederationMetadata/2007-06/FederationMetadata.xml"
$Script:tDAuthServerAuthMetadataUrlColor = "red"
}
Write-Host -ForegroundColor White " Enabled: "
Expand Down Expand Up @@ -541,6 +544,7 @@ function AutoDVirtualDCheckOauth {
function EWSVirtualDirectoryCheckOAuth {
Write-Host -ForegroundColor Green " Get-WebServicesVirtualDirectory -Server $($server)| Select Identity,Name,ExchangeVersion,*Authentication*,*url"
PrintDynamicWidthLine
FetchEWSInformation
$W = $WebServicesVirtualDirectoryOAuth | Format-List
Comment thread
MarcoLFrancisco marked this conversation as resolved.
$W
EWSVirtualDirectoryCheckOAuthHtmlHead
Expand Down Expand Up @@ -623,6 +627,7 @@ function EWSVirtualDirectoryCheckOAuth {
}
Write-Host -ForegroundColor White " Should be True"
}
#PrintDynamicWidthLine
Write-Host -ForegroundColor White "`n WindowsAuthentication:"
if ($WebServicesVirtualDirectoryOauth.WindowsAuthentication -eq "True") {
Comment thread
MarcoLFrancisco marked this conversation as resolved.
foreach ( $ser in $WebServicesVirtualDirectoryOauth) {
Expand Down
2 changes: 1 addition & 1 deletion Diagnostics/FreeBusyChecker/Functions/hostOutput.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ function hostOutputIntraOrgConEnabled($Auth) {
Write-Host -ForegroundColor White " -> Running for OAuth only as OAuth takes precedence over DAuth;"
Write-Host -ForegroundColor White "`n This script can be Run using the -Auth All parameter to Check for both OAuth and DAuth configuration. `n `n Example: ./FreeBusyChecker.ps1 -Auth All"
Write-Host -ForegroundColor White "`n This script can be Run using the -Auth DAuth parameter to Check for DAuth configuration only. `n `n Example: ./FreeBusyChecker.ps1 -Auth DAuth"
lookupMethodDAuthHtml
lookupMethodOAuthHtml
}
if ($Auth -like "All") {
lookupMethodCheckAllHtml
Expand Down
2 changes: 1 addition & 1 deletion Diagnostics/FreeBusyChecker/Functions/htmlContent.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ margin-right: 1%;
</li>
</ul>
</div>
<div class='Black' style = 'padding-left: 0%;'><h2Configuration:</h2></div>
<div class='Black' style = 'padding-left: 0%;'><h2>Configuration:</h2></div>
<p style='margin-left:2%;'>TLS 1.2 should be Enabled in order for Hybrid Free Busy to work. To confirm TLS Settings please Run the HealthChecker Script</p>
<ul>
<li><a href='https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/'>Microsoft Exchange Health Checker Script</a></li>
Expand Down