web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Customer experience | Sales, Customer Insights,... / Security question rega...
Customer experience | Sales, Customer Insights,...
Unanswered

Security question regarding Server-Side-Synch

(0) ShareShare
ReportReport
Posted on by Thomas Kammerlander

Dear community,

i have a question about the Account that you use to configure Server Side Synch with Dynamics CRM 365 and Exchange Online.

I need a statement for our IT-Security guys that this Account (usually the IIS-AppPool Account) does not have access to all the

Email Accounts in the Exchange Online Tenand after configuring Server-Side-Synch.

Let's say for example i have 10 users in my AD. All 10 users have Exchange Online Accounts but only 4 of them do have a Dynamics CRM 365 on prem account.

If i configure Server-Side-Synch. Does the AppPoolAccount user have access to all the 10 users emails?

With kind regards,

Thomas

I have the same question (0)
  • erhan.keskin Profile Picture
    erhan.keskin 2,253 on at

    Hi,

    First of all, I wouldn't suggest to use CRM Installation User or any CRM user as an Application Pool Identity.

    The Application Pool identity of CRM Application Pool doesn't have to have access to Exchange whatsoever.

    Best practices for server-side synchronization: docs.microsoft.com/.../best-practices-server-side-synchronization

    If you want to use one set of credentials to process emails with Outlook or Exchange: docs.microsoft.com/.../best-practices-server-side-synchronization (Using one account to process email to all mailboxes is easier to maintain but requires using an account that has access to all mailboxes in Outlook or Exchange. The account must have impersonation rights on Exchange.)

    Regards,

  • Thomas Kammerlander Profile Picture
    Thomas Kammerlander on at

    Dear Erhan,

    thanks a lot for your information. Well i followed this guide when setting up Server-Side-Synch:

    us.hitachi-solutions.com/.../

    They do write the following lines in the guide:

    Microsoft indicates to replace the contoso\administrator with your domain\account. Normally in their environments, Contoso\Administrator is the CRM System Administrator, but that IS NOT the account we want to use.  Using a user account will break CRM.  It removes the account that was setup during IFD to manage the Private Key on the certificate.  So what you want here is the account running the CRM Application Pool in IIS. So this is what i did.

    Can you comment on that, if that really is the way to go?

    The other thing is just a security question regarding the account that is used to setup the server-side-synch does it anyhow have access to the user mailboxes or not?

    Regards, Thomas

  • erhan.keskin Profile Picture
    erhan.keskin 2,253 on at

    Hi Thomas,

    That paragraph is for server side authentication, which is related to IFD specific, so you can follow it, that might be alright.

    For the second question; as mentioned above, it depends on your configuration, if you have a CRM User that is used for the IIS application pool identity, and has impersonation on Exchange, then it is possible to access to the user mailboxes. However, it wouldn't have access to all the mailboxes because of being used as Application Pool Identity.

    Regards,

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Customer experience | Sales, Customer Insights, CRM

#1
Tom_Gioielli Profile Picture

Tom_Gioielli 83 Super User 2025 Season 2

#2
Gerardo Rentería García Profile Picture

Gerardo Rentería Ga... 49 Most Valuable Professional

#3
#ManoVerse Profile Picture

#ManoVerse 40

Last 30 days Overall leaderboard

Featured topics

Hide selecting Contact for potential customer when creating quote

Product updates

Dynamics 365 release plans