During the implementation of a rich-coexistence environment between an Exchange 2010 On-Premise environment and Office 365 I had an issue with the Free/Busy which didn’t work correctly. Using the On-Premise environment I could retrieve the Free/Busy information from an Office 365 user but it didn’t worked from Office 365 to On-Premise. The error I got was that it couldn’t connect to the On-Premise environment

Because the Cloud couldn’t connect I decided to have a look at the TMG. In the logging no requests could be seen in the logging. So the requests where blocked somewhere else. To troubleshoot this issue I decided to connect to Office 365 via Powershell.

To check if the organization relationshop works correctly you can use Test-OrganizationRelationship, for example:

Test-OrganizationRelationship -identity “To_OnPremise” -UserIdentity johan@domain.com

When I ran this cmdlet it gave the following error:

 So there was an issue with the delegation token. The delegation token is provided by the Microsoft Federation Gateway. There are two gateways:

  • Consumer, used by Windows Live and Live.edu
  • Commerciële, used by Office 365 and Exchange On-Premise environments

To check which federation gateway is used by the solution you can use the Get-FederatedOrganizationIdentifier cmdlet. This cmdlet returned the following output:

As you can see the DelegationTrustLink _has the value _WindowsLiveID this means that the consumer version of the federation gateway is used. Because this gateway can’t be used by Office 365 you won’t get a token from the federation gateway.

A correct federation from Office 365 side will look like this:

As you can see the DelegationTrustLink has the value MicrosoftOnline, the commercial version of the Microsoft Federation Gateway.

To fix the issue you will need to contact Office 365 support. Support can recreate the federation trust which ensures that a token can be retrieved from the Federation Gateway


Johan Veldhuis