You’re offline. This is a read only version of the page.
Skip to main content
Dynamics 365 Community
Cancel
Get involved
Get answers
Discover events
Learn Dynamics 365
More
Search
Community site session details
Session Id :
Copy
Close
Dynamics 365 Community Calls Return
Join experts in person to explore low code and AI agents at the Power Platform Community Conference sponsored by Microsoft
Responsible AI policies for the Community
Dynamics 365 Community
/
Blogs
/
Dynamics 365 FastTrack Blog
/
Security of Server-Side Syn...
Security of Server-Side Synchronization - Part 4 - Use your own AAD App Reg
Views (13)
Josh Wells
Follow
Like
(
0
)
Share
Report
Up to this point in the Security of Server-Side Synchronization blog series, we covered the different ways of managing server-side synchronization (SSS) with the default Microsoft Exchange Online server profile within Dataverse. However, this configuration has some limitations.
Organizations that require additional control of the actions and permissions for SSS should create a mail server profile using their own Azure AD app registration. This configuration is defined as cross-tenant but as mentioned in the previous articles, it is supported within the same tenant as well. The documentation for setting this up can be found here:
Exchange Online cross-tenant authentication
Ensure to change the mail server profile for your user mailboxes to use the one you created when setting this up within Dataverse:
Exchange Application Access Policies
Organizations that want to further restrict the scope of mailboxes that SSS can access should consider using Exchange application access policies along with their Azure AD App registration. By defining a security group of only mailboxes that should be processed by SSS, you limit the exposure of potentially sensitive inboxes being incorrectly configured and processed by SSS. The following article covers creating an application access policy in detail:
Limiting application permissions to specific Exchange Online mailboxes
NOTE: After configuring an application access policy, it does take some time before the policy actually takes effect.
Role-Based Access Control for Applications
Another option that can be used to help limit the scope of Exchange mailbox access is to use Role Based Access Control (RBAC) for Applications. Currently, this feature is in preview, but it will, eventually, replace Application Access Policies.
Additional details for Role Based Access Control for Applications can be found in the following article:
Role Based Access Control for Applications in Exchange Online
Caveats
There is a known issue with using this configuration for cross-tenant support. The cross-tenant server profile actually changes how SSS communicates with Microsoft Exchange. When using the default Exchange Online profile, SSS connects to a user’s mailbox via Microsoft Graph API. However, with the cross-tenant server profile, instead of using Graph API, SSS uses Exchange Web Services (EWS). Due to this, the Exchange manifest file used to create the App for Outlook application within Outlook fails to deploy. This is currently being investigated on how we can support this particular scenario
.
For more information about deploying the App for Outlook application, please review this document:
Deploy and install Dynamics 365 App for Outlook
IMPORTANT: Cross-tenant configuration between multiple tenants does not support Dynamics 365 App for Outlook. Supportability is only for this configuration within the same tenant.
Through the series of these articles, you should now understand how server-side synchronization (SSS) connects and authenticates to a Dynamics 365/Dataverse user’s Exchange mailbox and different configurations to limit the exposure of unexpected processing of an Exchange mailbox.
See the other articles of this blog series:
1.
Security of Server-Side Synchronization - Part 1 - Overview
2.
Security of Server-Side Synchronization - Part 2 - Review and restrict access of SSS
3.
Security of Server-Side Synchronization - Part 3 - Monitor SSS activity
4.
Security of Server-Side Synchronization - Part 4 - Use your own AAD App Reg (Current)
Comments
Add new comment
Comment on this blog post
New#123
You don't have the appropriate permissions.
kammerlt
10
Posted
at
Security of Server-Side Synchronization - Part 4 - Use your own AAD App Reg
Dear Josh,
that is a very detailed and intresting blog post. Thanks a lot for all the information shared.
I would like to configure Server Side Synch with a custom App Registration with Dynamics CRM 365 v9.1 on-prem. But i
think that's not possible for now, at least the UI is different with the Authentication Method missing when creating a Hybrid Profile.
Does anyone know if this feature will be implemented in a future release of the on-prem version or if it can be done, with maybe some changes
to the orgdb settings or with another uknown customization?
Thanks and kind regards,
Thomas
Like
(
0
)
Report
Messages
Welcome,
Profile
Messages
My activity
Sign out
#1
297,389
Super User 2025 Season 2
#2
235,924
Most Valuable Professional
#3
101,160
Moderator
