Connect Dynamics 365 (on-premises) to Exchange Online

Applies To: Dynamics 365 (on-premises), Dynamics CRM 2016

This topic describes how to configure server-based authentication between Dynamics 365 (on-premises) and Exchange Online. The diagram below illustrates the communication between Dynamics 365 (on-premises), Azure Active Directory, and Exchange Online.

Permissions required

Microsoft Dynamics 365

• System Administrator security role.

• If you are using a self-signed certificate for evaluation purposes, you must have local Administrators group membership on the computer where Microsoft Dynamics 365 Server is running.

Exchange Online

• Office 365 Global Administrators membership. This is required for administrative-level access to the Office 365 subscription and to run the Microsoft AzurePowerShell cmdlets.

Set up server-based authentication with Microsoft Dynamics 365 and Exchange Online

Follow the steps in the order provided to set up Dynamics 365 (on-premises) with Exchange Online.

Verify prerequisites

Before you configure Dynamics 365 (on-premises) and Exchange Online for server-based authentication, the following prerequisites must be met:

• Microsoft Dynamics 365 Hybrid Connector. The Microsoft Dynamics 365 Hybrid Connector is a free connector that lets you use server-based authentication with Microsoft Dynamics 365 (on-premises) and Exchange Online. More information: Microsoft Dynamics 365 Hybrid Connector

• An x509 digital certificate issued by a trusted certificate authority that will be used to authenticate between Dynamics 365 (on-premises) and Exchange Online. If you are evaluating server-based authentication, you can use a self-signed certificate.

The following software features are required to run the Windows PowerShell cmdlets described in this topic:

• Microsoft Online Services Sign-In Assistant for IT Professionals Beta

• Azure Active Directory Module for Windows PowerShell (64-bit version)

Set up server-based authentication

1. On the Microsoft Dynamics 365 Server where the deployment tools server role is running, start the Azure Active Directory Module for Windows PowerShell.

   Important

   The computer where you run the following PowerShell commands must have the prerequisite software features described earlier in Verify prerequisites.

2. Prepare the certificate. Replace contoso\adminstrator with your domain\account.

   $CertificateScriptWithCommand = “.\CertificateReconfiguration.ps1 -certificateFile c:\Personalcertfile.pfx -password personal_certfile_password -updateCrm -certificateType S2STokenIssuer -serviceAccount contoso\administrator -storeFindType FindBySubjectDistinguishedName”
   
   Invoke-Expression -command $CertificateScriptWithCommand
   

3. Prepare the Windows PowerShell session.

   The following cmdlets enable the computer to receive remote commands and add Office 365 modules to the Windows PowerShell session. For more information about these cmdlets see Windows PowerShell Core Cmdlets.

   Enable-PSRemoting -force
   New-PSSession
   Import-Module MSOnline -force
   Import-Module MSOnlineExtended -force
   

4. Connect to Office 365.

   When you run the Connect-MsolService command, you must provide a valid Microsoft account that has Office 365 Global Administrator membership for the Exchange Online license that is required.

   For detailed information about each of the Azure Active Directory PowerShell commands listed here, see MSDN: Manage Azure AD using Windows PowerShell.

   $msolcred = get-credential
   connect-msolservice -credential $msolcred
   

5. Set the certificate.

   $STSCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList c:\Personalcertfile.pfx, personal_certfile_password
   $PFXCertificateBin = $STSCertificate.GetRawCertData()
   $Certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
   $Certificate.Import(“c:\Personalcertfile.cer”)
   $CERCertificateBin = $Certificate.GetRawCertData()
   $CredentialValue = [System.Convert]::ToBase64String($CERCertificateBin)
   

6. Set the Azure Active Directory Service Principal Name (SPN) in Exchange Online.

   Replace *.contoso.com with the domain name where Microsoft Dynamics 365 Server is located.

   $RootDomain = “*.contoso.com”
   $CRMAppId = "00000007-0000-0000-c000-000000000000" 
   New-MsolServicePrincipalCredential -AppPrincipalId $CRMAppId -Type asymmetric -Usage Verify -Value $CredentialValue
   $CRM = Get-MsolServicePrincipal -AppPrincipalId $CRMAppId
   $ServicePrincipalName = $CRM.ServicePrincipalNames
   $ServicePrincipalName.Remove("$CRMAppId/$RootDomain")
   $ServicePrincipalName.Add("$CRMAppId/$RootDomain")
   Set-MsolServicePrincipal -AppPrincipalId $CRMAppId -ServicePrincipalNames $ServicePrincipalName
   

7. Configure the Microsoft Dynamics 365 Server for server-based authentication with Exchange Online.

   Add-PSSnapin Microsoft.Crm.PowerShell 
   $setting = New-Object "Microsoft.Xrm.Sdk.Deployment.ConfigurationEntity"
   $setting.LogicalName = "ServerSettings"
   $setting.Attributes = New-Object "Microsoft.Xrm.Sdk.Deployment.AttributeCollection"
   $attribute1 = New-Object "System.Collections.Generic.KeyValuePair[String, Object]" ("S2SDefaultAuthorizationServerPrincipalId", "00000001-0000-0000-c000-000000000000")
   $setting.Attributes.Add($attribute1)
   $attribute2 = New-Object "System.Collections.Generic.KeyValuePair[String, Object]" ("S2SDefaultAuthorizationServerMetadataUrl", "https://accounts.accesscontrol.windows.net/metadata/json/1")
   $setting.Attributes.Add($attribute2)
   Set-CrmAdvancedSetting -Entity $setting
   

Set the Exchange Online tenant ID

1. In the Azure Active Directory module for Windows PowerShell shell, run the following commands.

   $CRMContextId = (Get-MsolCompanyInformation).ObjectID
   $CRMContextId
   

2. Copy the GUID that is displayed to the clipboard.

3. Update S2STenantId for the organization by running these commands, where OrganizationName is the unique name of the organization.

   $organizationName = “OrganizationName”
   $CRMContextId = “ExchangeOnlineTenantId”
   $orgInfo = Get-CrmOrganization -Name $organizationName
   $ID = $orgInfo.id 
   
    if($ID)
        {
          Set-CrmAdvancedSetting -ID $orgInfo.ID -configurationEntityName "Organization" -setting "S2STenantId" -value $CRMContextId
        }
   

Troubleshoot enable server-based authentication wizard validation issues

Error: Failed Authentication. This error can be returned when the certificate used for server-to-server authentication is missing or invalid. Update or install the certificate and try again.

Create an email server profile

1. Go to Settings > Email Configuration > Email Server Profiles.

2. Click New > Exchange Online (Hybrid).

3. For an Exchange email server profile, specify the following details.

   Fields	Description
   General
   Name	Specify a meaningful name for the profile.
   Description	Type a short description about the objective of the email server profile.
   Server Type	Pre-populated with Exchange Online (Hybrid).
   Owner	Pre-populated with the name of the owner of the email server profile.
   Use Default Tenant ID	If you've used the PowerShell commands above to set the Exchange Online tenant ID (recommended), click Yes to use that ID. If you set this to No, you must specify the Exchange Online tenant ID manually (not recommended!).
   Exchange Online Tenant ID	If you've used the PowerShell commands above to set the Exchange Online tenant ID (recommended), the ID is pre-populated in this field.
   Auto Discover Server Location	Pre-populated with the Exchange Online URL. Click Yes (recommended), if you want to use the auto discover service to determine the server location. If you set this to No, you must specify the email server location manually.
   Incoming Server Location and Outgoing Server Location	If you select No in Auto Discover Server Location, enter a URL for Incoming Server Location and Outgoing Server Location.
   Advanced
   Additional Settings
   Process Email From	Select a date and time. Email received after the date and time will be processed by server-side synchronization for all mailboxes associated with this profile. If you set a value less than the current date, the change will be applied to all newly associated mailboxes and their earlier processed emails will be pulled.
   Minimum Polling Intervals in Minutes	Type the minimum polling interval, in minutes, for mailboxes that are associated with this email server profile. The polling interval determines how often server-side synchronization polls your mailboxes for new email messages.
   Move Failed Emails to Undeliverable Folder	To move the undelivered email to the Undeliverable folder, click Yes. If there’s an error in tracking email messages in Dynamics 365 as email activities, and if this option is set to Yes, the email message will be moved to the Undeliverable folder.

4. Click Save.

5. Click Test Connection and review the results. To diagnose issues, see the following section.

Troubleshoot the Exchange Online (Hybrid) profile connection

If you’ve run Test Connection and have issues with the Exchange Online (Hybrid) profile connection, use the information in the Test Connection dialog box to diagnose and fix the connection.

You can find information on recurring issues and other troubleshooting information in Blog: Test and Enable Mailboxes in Microsoft Dynamics CRM 2015 and Troubleshooting and monitoring server-side synchronization.

Configure default email processing and synchronization

Set server-side synchronization to be the default configuration method.

1. Go to Settings > Email Configuration > Email Configuration Settings.

2. Set the processing and synchronization fields as follows:

   • Server Profile: The profile you created in the above section.

   • Incoming Email: Server-Side Synchronization or Email Router

   • Outgoing Email: Server-Side Synchronization or Email Router

   • Appointments, Contacts, and Tasks: Server-Side Synchronization or Email Router

     Note

     If your users primarily use Dynamics 365 for Outlook on their desktop computers, Microsoft Dynamics 365 for Outlook might be a better choice.

   If you leave the Email processing form unapproved user and queues at the default values (selected), you will need to approve emails and queues for user mailboxes as directed below in Approve Email.

   

3. Click OK.

Configure mailboxes

To set mailboxes to use the default profile, you must first set the Server Profile and the delivery method for email, appointments, contacts, and tasks.

In addition to administrator permissions, you must have Read and Write privileges on the Mailbox entity to set the delivery method for the mailbox.

Select one of the following methods:

Set mailboxes to the default profile

1. Go to Settings > Email Configuration > Mailboxes.

2. Click Active Mailboxes.

3. Select all the mailboxes that you want to associate with the Exchange Server profile you created, click Apply Default Email Settings, verify the settings, and then click OK.

   

   By default, the mailbox configuration is tested and the mailboxes are enabled when you click OK.

Edit mailboxes to set the profile and delivery methods

1. Go to Settings > Email Configuration > Mailboxes.

2. Click Active Mailboxes.

3. Select the mailboxes that you want to configure, and then click Edit.

4. In the Change Multiple Records form, under Synchronization Method, set Server Profile to the Exchange Server profile you created earlier.

5. Set Incoming and OutgoingEmail to Server-Side Synchronization or Email Router.

6. Set Appointments, Contacts, and Tasks to Server-Side Synchronization.

   Note

   If your users primarily use Dynamics 365 for Outlook on their desktop computers, Microsoft Dynamics 365 for Outlook might be a better choice.

7. Click Change.

Approve email

You need to approve each user mailbox or queue before that mailbox can process email.

1. Go to Settings > Email Configuration > Mailboxes.

2. Click Active Mailboxes.

3. Select the mailboxes that you want to approve, and then click More Commands (…) > Approve Email.

4. Click OK.

Test configuration of mailboxes

1. Go to Settings > Email Configuration > Mailboxes.

2. Click Active Mailboxes.

3. Select the mailboxes you want to test, and then click Test & Enable Mailboxes.

   This tests the incoming and outgoing email configuration of the selected mailboxes and enables them for email processing. If an error occurs in a mailbox, an alert is shown on the Alerts wall of the mailbox and the profile owner. Depending on the nature of the error, Microsoft Dynamics 365 tries to process the email again after some time or disables the mailbox for email processing.

   The result of the email configuration test is displayed in the Incoming Email Status, Outgoing Email Status, and Appointments, Contacts, and Tasks Status fields of a mailbox record. An alert is also generated when the configuration is successfully completed for a mailbox. This alert is shown to the mailbox owner.

Test email configuration for all mailboxes associated with an email server profile

1. Go to Settings > Email Configuration > Email Server Profiles.

2. Select the profile you created, and then click Test & Enable Mailboxes.

   When you test the email configuration, an asynchronous job runs in the background. It may take a few minutes for the test to be completed. Microsoft Dynamics 365 tests the email configuration of all the mailboxes associated with the Exchange Server profile. For the mailboxes configured with server-side synchronization for synchronizing appointments, tasks, and contacts, it also checks to make sure they’re configured properly.

See Also

Troubleshooting and monitoring server-side synchronization
Test mail flow with the Remote Connectivity Analyzer
Integrate (synchronize) your email system with Microsoft Dynamics 365
Set up server-side synchronization of email, appointments, contacts, and tasks
Server-side synchronization

© 2017 Microsoft. All rights reserved. Copyright