Best practices for server-side synchronization
Updated: November 28, 2016
Applies To: Dynamics 365 (online), Dynamics 365 (on-premises), Dynamics CRM 2016, Dynamics CRM Online
Consider the following when planning and deploying server-side synchronization.
By default, the Microsoft Exchange Online email server profile is created for Dynamics 365 (online) organizations and should be your first choice. If you want to use your own profile, you use Dynamics 365 (online), and Exchange Online, and both services are on the same tenant, use the following settings in your email server profile (Settings > Email Configuration > Email Server Profiles).
Settings | Recommendation |
|---|---|
Auto Discover Server Location | Yes |
Incoming Connection | |
Authenticate Using | Server to Server Authentication |
Use Impersonation | No |
Use same settings for Outgoing | Yes |
Using one account to process email to all mailboxes is easier to maintain but requires using an account that has access to all mailboxes in Outlook or Exchange. The account must have impersonation rights on Exchange. If that single account is compromised, all mailboxes using that account are compromised. Use the following settings in your email server profile (Settings > Email Configuration > Email Server Profiles to use a single account for email processing.
Settings | Recommendation |
|---|---|
Incoming Connection | |
Authenticate Using | Credentials Specified in Email Server Profile |
User Name | The administrator’s user name |
Password | The administrator’s password |
Use Impersonation | Yes |
Use same settings for Outgoing | Yes |
Delegation (Use Impersonation = No) is not supported for syncing Appointments, Contacts, and Tasks.
An alternative to a single account to process emails is using individual accounts. This method requires more maintenance effort but does not focus security on a single account. If you want each user account to synchronize with Outlook or Exchange and you’re not using the Microsoft Exchange Online email server profile, use the following settings (Settings > Email Configuration > Email Server Profiles).
Settings | Recommendation |
|---|---|
Incoming Connection | |
Authenticate Using | Credentials Specified by a User or Queue |
Use Impersonation | No |
Use same settings for Outgoing | Yes |
Set the following in each user mailbox.
Settings | Recommendation |
|---|---|
Credentials | |
Allow to Use Credentials for Email Processing | Yes |
User Name | The user name for the mailbox |
Password | The password for the mailbox |
By default, Microsoft Dynamics 365 doesn’t allow users to enter their email address or password when it detects that the credentials may be transmitted over a non-secure channel, such as HTTP. Dynamics 365 enforces this by disabling the ability to select “Yes” next to “Allow to Use Credentials for Email Processing” on the user mailbox form.
However, if your deployment is using SSL offloading where Dynamics 365 can’t detect the offloading, you can configure Dynamics 365 on-premises versions to allow the transmission of email credentials. This work around is only available with Microsoft Dynamics CRM 2013 and later on-premises versions.
 Warning |
|---|
Before you execute the following SQL statement, back up your configuration and organization database. More information: Back up the Microsoft Dynamics 365 System |
USE MSCRM_CONFIG GO IF EXISTS (SELECT ColumnName, BitColumn FROM DeploymentProperties WHERE ColumnName = ‘AllowCredentialsEntryViaInsecureChannels’ AND BitColumn=0) BEGIN Update DeploymentProperties set BitColumn=1 where ColumnName=’AllowCredentialsEntryViaInsecureChannels’ END
© 2016 Microsoft. All rights reserved. Copyright