Share via

How to Fix error Access Denied” or “Something went wrong [4usqa]

Rajesh 0 Reputation points
2025-11-03T06:11:05.8766667+00:00

<PII removed> getting error Access Denied” or “Something went wrong [4usqa] while configuring free busy calendar sync between exchange on prime to m365 team and calendar sync. i have also enabled that (Microsoft Information Protection API) as per suggested previous tagged - Sign in to Entra admin - Applications - Enterprise Applications

  1. Go to application ID 40775b29-2688-xxxx-xxxx-b256bd04df9f (Microsoft Information Protection API) but same error getting
Exchange | Exchange Server | Management
Exchange | Exchange Server | Management
The administration and maintenance of Microsoft Exchange Server to ensure secure, reliable, and efficient email and collaboration services across an organization.
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Teddie-D 7,485 Reputation points Microsoft External Staff Moderator
    2025-11-03T09:11:50.6133333+00:00

    Hi @Rajesh 

    Thank you for posting your question in the Microsoft Q&A forum. 

    Please note that our forum is a public platform, and we will modify your question to hide your personal information in the description. Kindly ensure that you hide any personal or organizational information the next time you post an error or other details to protect personal data.

    This Access Denied (4usqa) issue typically stems from failed free/busy lookups between Exchange Online and on-premises due to OAuth misconfiguration or EWS authentication issues. Enabling the Microsoft Information Protection API fixes Outlook sign‑in but does not resolve hybrid Free or Busy by itself.

    Here are some recommended steps to validate and correct your hybrid configuration: 

    1.Validate Hybrid Modern Authentication (OAuth) on both sides. 

    -Exchange Online 

    Get-OrganizationConfig | fl OAuth2ClientProfileEnabled
# If False:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

    This allows Exchange Online to accept and send OAuth tokens to your on-premises Exchange. 

    -Exchange On-Premises  

    Set-OrganizationConfig -OAuth2ClientProfileEnabled $true 

    -Verify OAuth trust and certificate  

    Get-AuthServer
Get-AuthConfig | fl CurrentCertificateThumbprint,ServiceName,NextCertificateThumbprint
Get-ExchangeCertificate -Thumbprint <ThumbprintFromGet-AuthConfig>

    If the current Auth certificate is valid and synchronized, do not rotate it.

    If your OAuth certificate expired or is mismatched between EXO and on-prem:  

    Set-AuthConfig -PublishCertificate
Set-AuthConfig -ClearPreviousCertificate
iisreset /noforce

    Then re-test OAuth flow:  

    Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox <******@domain.com> -Verbose 

    2.Confirm Organization Relationship & IntraOrganizationConnector 

    Run on both sides (on-prem and EXO): 

    Get-OrganizationRelationship | fl Name,Enabled,FreeBusyAccessEnabled,FreeBusyAccessLevel,TargetAutodiscoverEpr,TargetSharingEpr
Get-IntraOrganizationConnector | fl Name,Enabled,DiscoveryEndpoint,TargetAddressDomains

    Ensure: 

    -Enabled = True 

    -FreeBusyAccessEnabled = True 

    -FreeBusyAccessLevel = LimitedDetails (or higher) 

    -TargetAutodiscoverEpr and DiscoveryEndpoint point to valid, reachable URLs 

    If any are missing or incorrect, re-run the Hybrid Configuration Wizard (HCW) to re-stamp relationships and OAuth metadata. 

    3.Validate EWS & Autodiscover reachability 

    Use Microsoft Remote Connectivity Analyzer> Choose Exchange Server > Free/Busy test (Office 365 to on-prem). 

    Confirm both Autodiscover and EWS endpoints are reachable externally. Then, check EWS authentication on-prem: 

    Get-WebServicesVirtualDirectory | fl Identity,ExternalUrl,InternalUrl,WindowsAuthentication,BasicAuthentication,OAuthAuthentication 

    If OAuthAuthentication is not enabled:  

    Set-WebServicesVirtualDirectory "EWS (Default Web Site)" -OAuthAuthentication $true 
IISReset /noforce 

    4.Test with Microsoft’s Hybrid Free/Busy tools 

    -Start with the guided troubleshooter to identify the failing direction (cloud > on-prem or vice versa). 

    -Then run the Hybrid Free/Busy Configuration Checker (FreeBusyChecker.ps1) from Exchange Management Shell. It reads both OAuth and DAuth configuration across on‑prem and EXO and flags likely mis‑stamps without changing anything. 
    Note: Microsoft is providing this information as a convenience to you. These sites are not controlled by Microsoft, and Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please ensure that you fully understand the risks before using any suggestions from the above link. 

    5.Teams uses Exchange Web Services (EWS) with delegated OAuth to read on-prem calendars.  Confirm the OAuth configuration in Teams: 

    Get-CsOAuthConfiguration 

    If misaligned, re-run Hybrid Configuration Wizard with Modern Authentication enabled. 

    I hope this information is helpful. 

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".   

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.  

  2. Rajesh 0 Reputation points
    2025-11-07T09:25:50.6266667+00:00

    User's image

    Need assistance – Event ID 2008 MSExchange OAuth (Federation Metadata Certificate mismatch) in Exchange 2019 Hybrid

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.