Exchange On-Premises Federation Trust Broken with SOAP Auth Failure After Office 365 Domain Verification

Indicators

• Test-FederationTrust -Verbose returns 'Failed to request delegation token'
• SOAP fault error code 0x80048821 with subcode 0x80041012
• SOAP fault detail contains 'The entered and stored passwords do not match' despite no password being configured
• wst:FailedAuthentication returned from login.microsoftonline.com/extSTS.srf
• Organizational relationships broken with the same authentication failure
• Federation trust recreation via EAC or PowerShell does not resolve the failure
• ApplicationIdentifier and ApplicationUri are present in Get-FederationTrust output but token issuance still fails

Likely causes

• Deleting and recreating the federation trust during Office 365 domain verification breaks the certificate or token binding registered with the Microsoft Federation Gateway
• Mismatch between the ApplicationIdentifier registered with the Microsoft Federation Gateway and the local trust configuration after recreation
• Stale or mismatched self-signed federation certificate after trust recreation that has not been properly re-registered with the gateway
• Cached credential or token state in the Microsoft Federation Gateway not updated to reflect the recreated trust
• The remote federated organisation has not yet migrated to Office 365, causing an incompatibility between legacy and modern federation endpoints
• DNS TXT proof record for the federated domain deleted or invalidated during Office 365 domain verification steps

Diagnostic steps

1. Run 'Test-FederationTrust -Verbose' in Exchange Management Shell and capture the full output to identify the exact failure point in the token request chain, noting the error codes returned.
2. Run 'Get-FederationTrust | FL' to review the ApplicationIdentifier, ApplicationUri, OrgCertificate thumbprint, and endpoint configuration for inconsistencies.
3. Run 'Get-FederatedOrganizationIdentifier | FL' to verify the federated domains and account namespace are correctly configured and match the Office 365 verified domain.
4. Verify the federation DNS TXT proof record is still present and valid in public DNS using 'Resolve-DnsName -Name autodiscover.<yourdomain.com> -Type TXT' or an external DNS lookup tool. Recreate the record if it was removed during Office 365 domain verification.
5. Remove the existing broken federation trust: 'Remove-FederationTrust "Microsoft Federation Gateway"', then recreate it via the Exchange Admin Center Enable Federation wizard or the 'New-FederationTrust' cmdlet, ensuring the DNS proof token is re-applied.
6. After recreating the trust, run 'Test-FederationTrust -Verbose' again and confirm token retrieval succeeds past the delegation token request stage before re-enabling organisational relationships.
7. Check whether the remote federated organisation's Exchange environment has also been migrated to Office 365, as a cross-version federation endpoint incompatibility may be the root cause that cannot be resolved locally.
8. If the issue persists after all local remediation steps, open a Microsoft Support ticket referencing error codes 0x80048821 and 0x80041012 with the full Test-FederationTrust -Verbose output attached.

Resolution path

• Confirm the federation trust failure via 'Test-FederationTrust -Verbose' and record error codes 0x80048821 / 0x80041012 for reference
• Review current trust configuration with 'Get-FederationTrust | FL' and 'Get-FederatedOrganizationIdentifier | FL' to establish a baseline before making changes
• Verify that the federation DNS TXT proof record remains valid in public DNS and recreate it if it was removed during Office 365 domain verification
• Remove the broken trust with 'Remove-FederationTrust "Microsoft Federation Gateway"' and recreate it cleanly via EAC or New-FederationTrust, re-applying the DNS proof token
• Rerun 'Test-FederationTrust -Verbose' to confirm token issuance now succeeds and re-enable organisational relationships
• Confirm whether the remote federated organisation has migrated to Office 365; if not, coordinate their migration as the incompatibility between legacy and modern federation endpoints may prevent full resolution until both sides operate on the same infrastructure

Prevention

• Before deleting an on-premises federation trust for Office 365 domain verification, document the existing ApplicationIdentifier, OrgCertificate thumbprint, federated domains, and DNS proof tokens
• Use Microsoft's Hybrid Configuration Wizard where possible, as it manages federation trust steps and certificate registration automatically, reducing manual error risk
• Coordinate the Office 365 domain verification and federation trust recreation timing with the remote federated organisation to minimise the disruption window
• Maintain a record of federation DNS TXT proof tokens so they can be quickly re-applied if removed during domain verification
• Test federation trust recreation in a lab or staging Exchange environment before performing the procedure in production
• Notify dependent federated organisations of planned federation trust maintenance windows and confirm their migration status before proceeding

Tools

• Test-FederationTrust -Verbose (Exchange Management Shell)
• Get-FederationTrust (Exchange Management Shell)
• Get-FederatedOrganizationIdentifier (Exchange Management Shell)
• Remove-FederationTrust (Exchange Management Shell)
• New-FederationTrust (Exchange Management Shell)
• Exchange Admin Center (EAC) — Enable Federation wizard
• Resolve-DnsName (PowerShell DNS diagnostic)

References

• Configure a federation trust — Microsoft Docs (Exchange 2013+)
• Test-FederationTrust cmdlet reference — Microsoft Docs
• Exchange Federation Trust Broken After Office 365 Domain Verification — ServerFault