Dynamics Community Forum Thread Details

We provide software-as-a-service hosting services of Microsoft Dynamics 365, including managed administration of Dynamics itself. Up to this point, we've stayed on the tried (and normally) true Email Router. However, we you may know, Microsoft is getting rid of Basic authentication, which I am guessing kills the E-mail Router's integration using Exchange Web Services.

Server side sync seems to be the only alternative path at current, which requires server to server authentication. Steps to get that up and running is here: Connect Exchange Online to Dynamics 365 Customer Engagement (on-premises) | Microsoft Docs

We've gotten that setup successfully. My concern is a general security concern. With the e-mail router, either users put in the credentials to their mailbox or we authenticate with some credentials that had delegated access to the subset of mailboxes needed. We weren't asking our clients to give us complete trust/access to their Exchange.

With server to server, it appears we could access anybody's mailbox in the exchange instance. Setup a mailbox in Dynamics, approve the e-mail, and start bringing those e-mails in. It's not really a manner of I think it would be abused intentionally, but general posturing - what are we leaving out there that someone could take advantage of.

I've tried using the Exchange command "New-ApplicationPolicy" command to restrict the mailboxes the "app" can access, but the AppId for the Hybrid connector must not be a true "app". I can see for the most common scenario, where Exchange and Dynamics are administrated by the same team, it's not as big of a deal.

To make things more confusing, this link makes it sound like even the hybrid connector is going to change. Email service configurations supported by server-side synchronization - Power Platform | Microsoft Docs

We are aware of the Exchange Basic authentication deprecation schedule and are working on an alternate implementation.

I see some "Power Platform" pre-release documentation, that looks like they may be moving to a UI-based S2S approach and it does mention the ability to scope the mailboxes! (It would also get rid of the ugliness of a hosting provider, like myself, having to coordinate dozens of client's Hybrid Connector's updated as our certificate renews.) It looks like it adds some new options to the Mailbox profile that don't exist yet, even in 9.1 on-premises.

Exchange Online cross-tenant authentication - Power Platform | Microsoft Docs

I guess a few questions.

Can anyone disavow me of the notion that "modern authentication" will be the death of the e-mail router for Office 365 (at least incoming emails, which requires EWS)?
Am I on the correct path that there seems to be no reason to move to the Hybrid Connector, as is not using "modern authentication" either? Or am I getting confused between Dynamics 365 CE and Power Platform?
Has anyone seen guidance on when that last solution, "Exchange Online cross-tenant authentication", would be available on-premises? (If anything like Dynamics 9.1, we could be waiting years).
Has anyone in a similar scenario come up with a solution to limit the set of mailboxes Dynamics can access via the S2S Hybrid connection?

Thanks, I know this is specific.

Server Side Sync, Hybrid (CRM On-prem to Hosted Exchange) - Managed On-Premises Providers

Helpful resources

News and Announcements

Quick Links

December Spotlight Star - Muhammad Affan

Top 10 leaders for November!

Community AMA December 12th

Leaderboard

Featured topics

Product updates