When an organisation uses SkypeShield credentials to sign in to Skype for Business these credentials are sent to Exchange too. Traffic goes via Bastion filters, and credentials for Skype for Business and EWS are converted to Windows credentials using our KCD filter which creates Kerberos tickets to ensure the requests are accepted by the on-prem servers.
When the user’s account is homed on O365 the Kerberos ticket we would generate wouldn’t be accepted.
To ensure that the request is accepted, we create an Azure account impersonation authentication token, which we attach to the request to ensure that the request is accepted.
This requires creating/using an azure application with appropriate permissions.
Assuming Manual Exchange Server configuration on client, no auto discover.
Client sends EWS request to Bastion on special URL. e.g. ews-online.company.com
EWS Filter verifies SphereShield credentials sent by client
EWS Filter obtains authentication token and modifies the request to use the authentication token received from Azure