Server-Side Synchronization Series Part 5: Automatic Incoming Email Promotion

This fifth part of the Server-Side Sync blog series will focus on user correlation methods not including in-reply-to.

Introduction

"Select the email messages to track in Microsoft Dynamics 365" might be the most dangerous Dynamics 365 setting every user has inherent access to. Located within personalization settings, at first glance it doesn't appear that nefarious. Perhaps this setting expands the capabilities of manually tracking emails using the App for Outlook? Maybe it expands which emails Dynamics has access to from my customers? Changing the setting to something else can't be that big of a deal, right?

If you're an HR director with a very confidential inbox, it is kind of a big deal. A simple click to "Accept All Emails" from this dropdown will cause every email sent to that mailbox from that point forward to promote into Dynamics. Imagine receiving an email regarding sexual harassment and not realizing that email promoted into Dynamics and is visible by the perpetrator.

For that reason among many others, it's important to understand how correlation and email promotion work with default Server-Side Sync configurations. Since the users in a default-configured organization have inherent access to this dropdown, its inviting disaster in the event they are bored and decide to change the setting.

How do user correlation methods work for incoming email?

By default, all users are configured with the correlation method "Emails in response to Dynamics 365 Email", which is discussed in part 4 of this series. In order for Server-Side Synchronization to use the values within personalization settings, the system setting "Use correlation to track email conversations" must be enabled. The other correlation methods a user can use are the following:

All email messages
 - Pretty Straight-forward; when we check the mailbox for incoming email, we promote everything we see, as long as there is an email address in the "to:" or "cc:" field that is tied to a system user or queue.

Email messages from Dynamics 365 Leads, Contacts and Accounts
 - When we pull the emails from the inbox of the mailbox, we will check the "From:" field. If this email address matches an email format field on any Lead, Contact, or Account entity form, the email will be promoted.

Email messages from Dynamics 365 records that are email enabled
 - When we pull the emails from the inbox of the mailbox, we will check the "From:" field. If this email address matches an email format field on any email-enabled entity form, the email will be promoted.

How can the correlation methods within user personalization settings be locked down to prevent this issue?

There are two OrgDBOrg settings that control this behavior: 

HideEmailAutoTrackOptions
 - Removes all options from the Personalization Settings box for "Select the email messages to track in Microsoft Dynamics 365" except for "Emails in response to Dynamics 365 Email" and "No Email Messages"

HideTrackAllOption
 - Removes the "All Email Messages" option within the Personalization Settings box for "Select the email messages to track in Microsoft Dynamics 365"

Please note that the other two values in the dropdown can be just as dangerous, as they will dump emails into Dynamics 365 as long as they correlate to the associated records chosen. I recommend setting the "HideEmailAutoTrackOptions" to every customer I speak to whom uses Server-Side Synchronization.

Is there a way to determine if there are users within an organization that have changed their correlation method?

The correlation method being set by users can be queried through multiple ways, with the easiest being an API query with each organization. The value "incomingemailfilteringmethod" can be found on the usersettings entity (reference for the values can be found here). Here is an example of an API query to find users with correlation settings set to "All Email Messages":

https://(URL of organization)/api/data/v9.0/usersettingscollection?$select=systemuserid&$filter=incomingemailfilteringmethod%20eq%200

The last character (0) of the above URL is the value for "All Email Messages". You can check the other values that cause this issue by changing the value to 2 or 3, like so:

https://(URL of organization)/api/data/v9.0/usersettingscollection?$select=systemuserid&$filter=incomingemailfilteringmethod%20eq%202
https://(URL of organization)/api/data/v9.0/usersettingscollection?$select=systemuserid&$filter=incomingemailfilteringmethod%20eq%203

What should be done if users whom are using non-default correlation methods are found in the above queries?

Assuming Server-Side Synchronization is running for the users found, it means that it is very likely emails have been dumping into Dynamics without the user's knowledge. The proposed solution scenario provided to the should follow these steps:

1. Prevent users from changing the Tracking personalization setting
        Set the OrgDBOrg setting "HideEmailAutoTrackOptions" to prevent users form modifying the value mid-resolution
2. Identify all of the system users affected
        Run API queries and determine users which have incomingemailfilteringmethod set to 0, 2 or 3
3. Change the User Settings value of each of these users to 1 to stop emails from coming in
        Using API queries or third party tools such as XRM Toolbox allows these values to be modified without user involvement
4. Identify impact of emails within Dynamics and determine ameliorative action
        This needs to be tailored to how volatile the emails already in Dynamics are in addition to considering time sensitivity of allowing the emails to be visible while being worked on

Now that the issue has been fixed, what actions should be taken to remove the emails that have been dumped into Dynamics?

There are two main paths that this can take; user-involvement via subjective manual deletion and mass-deletion of emails. This needs to be determined for each user scenario, as manually deleting emails one at a time allows the emails already in Dynamics to remain visible to other users with access to them until the user completes their subjective deletions. This method allows for "legitimate emails" (emails that should have come in and should remain) to remain within Dynamics, but also runs the risk of missing email deletions for those that shouldn't remain (emails with personal information as an example).

Anecdotally, every customer I've spoken with about this issue has opted to export a list of emails affected, mass delete them and then notify the users impacted. Due to ethical implications, remember that the users impacted must be told that the contents of their inbox were promoted to Dynamics as a direct result of the setting change made by them, and that they were visible by others with access. Because the emails will be mass-deleted, it's likely that "legitimate emails" will be caught in this net. Users will need to manually re-track in emails that meet these criteria to reestablish visibility within Dynamics. Mass deletion via asynchronous bulk delete, using custom views to delete en masse, and using diverse column sets via advanced find to identify and delete emails are examples.

In our next series, we will dive into Email-format fields and how field correlation works for the email entity.

Part 1, Part 2, Part 3, Part 4, Part 6