Skip to main content

Notifications

Customer Service forum
Unanswered

Server Side Sync, Hybrid (CRM On-prem to Hosted Exchange) - Managed On-Premises Providers

Posted on by 360

We provide software-as-a-service hosting services of Microsoft Dynamics 365, including managed administration of Dynamics itself.  Up to this point, we've stayed on the tried (and normally) true Email Router.  However, we you may know, Microsoft is getting rid of Basic authentication, which I am guessing kills the E-mail Router's integration using Exchange Web Services.

Server side sync seems to be the only alternative path at current, which requires server to server authentication.  Steps to get that up and running is here: Connect Exchange Online to Dynamics 365 Customer Engagement (on-premises) | Microsoft Docs

We've gotten that setup successfully.  My concern is a general security concern.  With the e-mail router, either users put in the credentials to their mailbox or we authenticate with some credentials that had delegated access to the subset of mailboxes needed.  We weren't asking our clients to give us complete trust/access to their Exchange.

With server to server, it appears we could access anybody's mailbox in the exchange instance.  Setup a mailbox in Dynamics, approve the e-mail, and start bringing those e-mails in.  It's not really a manner of I think it would be abused intentionally, but general posturing - what are we leaving out there that someone could take advantage of.

I've tried using the Exchange command "New-ApplicationPolicy" command to restrict the mailboxes the "app" can access, but the AppId for the Hybrid connector must not be a true "app".   I can see for the most common scenario, where Exchange and Dynamics are administrated by the same team, it's not as big of a deal.

To make things more confusing, this link makes it sound like even the hybrid connector is going to change.  Email service configurations supported by server-side synchronization - Power Platform | Microsoft Docs

We are aware of the Exchange Basic authentication deprecation schedule and are working on an alternate implementation.

I see some "Power Platform" pre-release documentation, that looks like they may be moving to a UI-based S2S approach and it does mention the ability to scope the mailboxes!  (It would also get rid of the ugliness of a hosting provider, like myself, having to coordinate dozens of client's Hybrid Connector's updated as our certificate renews.)  It looks like it adds some new options to the Mailbox profile that don't exist yet, even in 9.1 on-premises.

Exchange Online cross-tenant authentication - Power Platform | Microsoft Docs

I guess a few questions.

  1. Can anyone disavow me of the notion that "modern authentication" will be the death of the e-mail router for Office 365 (at least incoming emails, which requires EWS)?
  2. Am I on the correct path that there seems to be no reason to move to the Hybrid Connector, as is not using "modern authentication" either?  Or am I getting confused between Dynamics 365 CE and Power Platform?  
  3. Has anyone seen guidance on when that last solution, "Exchange Online cross-tenant authentication", would be available on-premises?  (If anything like Dynamics 9.1, we could be waiting years).
  4. Has anyone in a similar scenario come up with a solution to limit the set of mailboxes Dynamics can access via the S2S Hybrid connection?

Thanks, I know this is specific.  

Categories:

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Forum Structure Changes Coming Soon!

Quick Links

Forum Structure Changes Coming on 11/8!

In our never-ending quest to help the Dynamics 365 Community members get answers faster …

Dynamics 365 Community Platform update – Oct 28

Welcome to the next edition of the Community Platform Update. This is a status …

Leaderboard

#1
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 290,782 Super User 2024 Season 2

#2
Martin Dráb Profile Picture

Martin Dráb 229,067 Most Valuable Professional

#3
nmaenpaa Profile Picture

nmaenpaa 101,150

Leaderboard

Featured topics

Product updates

Dynamics 365 release plans