PrivilegeDenied error occurs when using Server-Side Synchronization

Applies to: Dynamics CRM

Symptom


When using Server-Side Synchronization in Dynamics 365, you encounter the following error after clicking Test & Enable Mailbox:

"Appointments, contacts, and tasks can't be synchronized for the mailbox <Mailbox Name> because the mailbox user doesn't have sufficient permissions on this mailbox.
Email Server Error Code: Crm.80040220.PrivilegeDenied"

Cause


This error will appear if the user associated with the mailbox record does not have sufficient privileges to use Server-Side Synchronization.

Resolution


Modify the user's security role to include the missing privilege.  When you click the Details section, it should include the name of the missing privilege.  In the example below, the user is missing the read privilege for the Email Server Profile entity.
 

T:331ActivityId: <GUID>>Exception : Unhandled Exception: Microsoft.Crm.Asynchronous.EmailConnector.ExchangeSyncException: Failed to update the sync state : Unhandled Exception: System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=8.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: Principal user (Id=<GUID>, type=8) is missing prvReadEmailServerProfile privilege (Id=edebe6f6-cf2e-4520-b635-ae0615d41e34)Detail: f6afa1da-a317-4cfd-a3ea-cb062b28dbcf -2147220960 Principal user (Id=<GUID>, type=8) is missing prvReadEmailServerProfile privilege (Id=edebe6f6-cf2e-45...

For a list of privileges that may be required to use Server-Side Sync, refer to the More Information section.

More Information


The following table lists privileges required to use Server-Side Synchronization and the tab in a security role where the privilege can be found. A user with the System Administrator role can locate and modify a security role by navigating to Settings, Security, Security Roles. To view which role(s) are assigned to a specific user, navigate to Settings, click Security, click Users, select the specific User record, and then click Manage Roles. 

Privilege name Entity Location (tab) within security role
prvReadEmailServerProfile EmailServerProfile Business Management
prvWriteMailbox Mailbox Business Management
prvReadMailbox Mailbox Business Management
prvReadOrganization Organization Business Management
prvSyncToOutlook Outlook Business Management --> Privacy-related privileges
prvReadActionCard ActionCard Core Records
prvDeleteActivity Activity Core Records
prvAppendActivity Activity Core Records
prvWriteActivity Activity Core Records
prvCreateActivity Activity Core Records
prvReadActivity Activity Core Records
prvAppendToActivity Activity Core Records
prvReadConnection Connection Core Records
prvAssignContact Contact Core Records
prvReadContact Contact Core Records
prvWriteContact Contact Core Records
prvCreateContact Contact Core Records
prvDeleteContact Contact Core Records
prvReadUserQuery Saved View Core Records
prvReadQueue Queue Core Records
prvReadQuery View Customization
prvReadIncident Case Service
prvSearchAvailability   Service Management --> Miscellaneous Privileges
prvOverrideCreatedOnCreatedBy   Service Management --> Miscellaneous Privileges