Announcements
We provide software-as-a-service hosting services of Microsoft Dynamics 365, including managed administration of Dynamics itself. Up to this point, we've stayed on the tried (and normally) true Email Router. However, we you may know, Microsoft is getting rid of Basic authentication, which I am guessing kills the E-mail Router's integration using Exchange Web Services.
Server side sync seems to be the only alternative path at current, which requires server to server authentication. Steps to get that up and running is here: Connect Exchange Online to Dynamics 365 Customer Engagement (on-premises) | Microsoft Docs
We've gotten that setup successfully. My concern is a general security concern. With the e-mail router, either users put in the credentials to their mailbox or we authenticate with some credentials that had delegated access to the subset of mailboxes needed. We weren't asking our clients to give us complete trust/access to their Exchange.
With server to server, it appears we could access anybody's mailbox in the exchange instance. Setup a mailbox in Dynamics, approve the e-mail, and start bringing those e-mails in. It's not really a manner of I think it would be abused intentionally, but general posturing - what are we leaving out there that someone could take advantage of.
I've tried using the Exchange command "New-ApplicationPolicy" command to restrict the mailboxes the "app" can access, but the AppId for the Hybrid connector must not be a true "app". I can see for the most common scenario, where Exchange and Dynamics are administrated by the same team, it's not as big of a deal.
To make things more confusing, this link makes it sound like even the hybrid connector is going to change. Email service configurations supported by server-side synchronization - Power Platform | Microsoft Docs
We are aware of the Exchange Basic authentication deprecation schedule and are working on an alternate implementation.
I see some "Power Platform" pre-release documentation, that looks like they may be moving to a UI-based S2S approach and it does mention the ability to scope the mailboxes! (It would also get rid of the ugliness of a hosting provider, like myself, having to coordinate dozens of client's Hybrid Connector's updated as our certificate renews.) It looks like it adds some new options to the Mailbox profile that don't exist yet, even in 9.1 on-premises.
Exchange Online cross-tenant authentication - Power Platform | Microsoft Docs
I guess a few questions.
Thanks, I know this is specific.
Stay up to date on forum activity by subscribing. You can also customize your in-app and email Notification settings across all subscriptions.
André Arnaud de Cal... 290,782 Super User 2024 Season 2
Martin Dráb 229,067 Most Valuable Professional
nmaenpaa 101,150