The right panel of next graphic shows 2 last lines induced by the code on the left. The first has a 401 response from office asking that the client authenticate, given its request to list the mailbox contents of a particular (as yet unauthenticated) user. The second passes the basic credentials of the user to the microsoft online environment, which duly allows the mailbox transaction to proceed, having authenticated the user. The response value of the latter shows the mailbox values (of the now authenticated user).
When we look at our time-stamped STS logs, we can see what happened behind the scenes:
with the result sent back to the requesting microsoft online service being
Note that 5 and 6 in the trace are our accessing the website, to view the traces. Note their ping on mex and fed, after the initial RSTR is request and delivered. One sees the design of the control plane, wanting the signed metadata (fed) to CONTINUE to support the choice of mex address registered for the domain, no doubt.