"You do not have permission to access these records." when attempting to configure Microsoft Dynamics CRM for Office Outlook

Symptoms
When you attempt to configure Microsoft Dynamics CRM for Office Outlook and you have a custom security role, you encounter the following error:

"You do not have permission to access these records. Contact your Microsoft Dynamics CRM administrator."

If the security role is assigned through team membership instead of being associated directly to the user, you encounter the following error:

"You do not have enough privileges to access the Microsoft Dynamics CRM object or perform the requested operation."

Cause
Your security role in Microsoft Dynamics CRM is missing sufficient privileges for a specific entity. This could be the Mailbox entity or some other entity privilege required to successfully configure CRM for Outlook.
Resolution
First identify which privilege is missing. You can expand the Details section in the error message which provides additional details including which privilege is missing. As shown in the More Information section below, the details may include a message such as "missing prvReadMailbox privilege" which would indicate the user needs Read access for the Mailbox entity. The example steps below are for the Mailbox entity but you can follow the same steps replacing the Mailbox entity with whichever privilege is mentioned in the details section of the error.

Update the security role to include user level Read access to the Mailbox entity. If the role is assigned through team membership, the security role will need business unit level or higher access. 

1. Log into the Microsoft Dynamics CRM web application as a user with the System Administrator role.

2. From the navigation bar click Microsoft Dynamics CRM and then click Settings.

3. From the navigation bar click Settings and then click Administration. If you are using Microsoft Dynamics CRM 2015 or later, click Security instead of Administration.

4. Click Security Roles.

5. Open the security role granted to the user that encounters this issue.

6. Click the Business Management tab. If the missing privilege is for a different entity, the privilege may be located on one of the other tabs.

7. Click the circle to grant User level Read access to the Mailbox entity. This privilege can be located by finding the Mailbox entity and the intersection with the Read privilege.

8. Click Save and Close.

9. Attempt to configure Microsoft Dynamics CRM for Office Outlook again. 


If you are still encountering issues connecting CRM for Outlook to your CRM Online organization, a diagnostic tool is available to help diagnose the issue:

CRM for Outlook Configuration Diagnostic

More information
The log file contains the following error with the Principal user reference matching your SystemUserId:

09:17:01|  Error| Exception : Principal user (Id=4294cbf9-7534-e311-8b6d-6c3be5a8f660, type=8) is missing prvReadMailbox privilege (Id=8e17de3a-5a69-479c-9535-1f7be75b2987)    at Microsoft.Crm.Application.Platform.ServiceCommands.PlatformCommand.XrmExecuteInternal()
   at Microsoft.Crm.Application.Platform.ServiceCommands.RetrieveCommand.Execute()
   at Microsoft.Crm.Caching.MailboxWebServiceCacheLoader.LoadCacheData(Guid key, IOrganizationContext context)
   at Microsoft.Crm.Caching.ClientCacheLoaderProxy`2.LoadCacheData(TKey key, IOrganizationContext context)
   at Microsoft.Crm.Caching.CrmMultiOrgCacheBase`2.CreateEntry(TKey key, IOrganizationContext context)
   at Microsoft.Crm.Caching.CrmMultiOrgCacheBase`2.LookupEntry(TKey key, IOrganizationContext context)
   at Microsoft.Crm.Application.Outlook.Config.OutlookConfigurator.InitializeMapiStoreForFirstTime()
   at Microsoft.Crm.Application.Outlook.Config.OutlookConfigurator.Configure(IProgressEventHandler progressEventHandler)
   at Microsoft.Crm.Application.Outlook.Config.ConfigEngine.Configure(Object stateInfo)


If the user is a member of a team that only has user level Read access to the Mailbox entity and they do not have a security role assigned directly to their user record with user level Read access to the Mailbox entity, the log file contains the following error with the Owner Id and Calling User reference matching your SystemUserId:

17:16:47|  Error| Exception : SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: 7f27247a-dda1-e411-80d9-fc15b4285da4, OwnerId: 4294cbf9-7534-e311-8b6d-6c3be5a8f660,  OwnerIdType: 8 and CallingUser: 4294cbf9-7534-e311-8b6d-6c3be5a8f660. ObjectTypeCode: 9606, objectBusinessUnitId: 8bce1ea5-1e75-e411-80cf-c4346bac89f4, AccessRights: ReadAccess  
Server stack trace:
   at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.Xrm.Sdk.IOrganizationService.Retrieve(String entityName, Guid id, ColumnSet columnSet)
   at Microsoft.Xrm.Sdk.WebServiceClient.OrganizationWebProxyClient.<>c__DisplayClass4.<RetrieveCore>b__3()
   at Microsoft.Xrm.Sdk.WebServiceClient.WebProxyClient`1.ExecuteAction[TResult](Func`1 action)
   at Microsoft.Xrm.Sdk.WebServiceClient.OrganizationWebProxyClient.RetrieveCore(String entityName, Guid id, ColumnSet columnSet)
   at Microsoft.Xrm.Sdk.WebServiceClient.OrganizationWebProxyClient.Retrieve(String entityName, Guid id, ColumnSet columnSet)
   at Microsoft.Crm.Application.SMWrappers.ClientOrganizationServiceProxyBase.Retrieve(String entityName, Guid id, ColumnSet columnSet)
   at Microsoft.Crm.Application.Outlook.Config.ServerInfo.LoadMailboxInfo(IClientAuthProvider`1 orgAuthProvider)
   at Microsoft.Crm.Application.Outlook.Config.ServerInfo.LoadUserInfo(IClientAuthProvider`1 orgAuthProvider)
   at Microsoft.Crm.Application.Outlook.Config.ServerInfo.Initialize(Uri discoveryUri, OrganizationDetail selectedOrg, String displayName, Boolean isPrimary, IClientAuthProvider`1 authenticatedProvider)
   at Microsoft.Crm.Application.Outlook.Config.ServerForm.LoadDataToServerInfo()
   at Microsoft.Crm.Application.Outlook.Config.ServerForm.<InitializeBackgroundWorkers>b__3(Object sender, DoWorkEventArgs e)
   at System.ComponentModel.BackgroundWorker.OnDoWork(DoWorkEventArgs e)
   at System.ComponentModel.BackgroundWorker.WorkerThreadStart(Object argument)

Outlook Client; configure; connect
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.
Properties

Article ID: 2899051 - Last Review: 02/10/2016 19:53:00 - Revision: 4.0

Microsoft Dynamics CRM 2013, CRM Online via Office 365 E Plans, Microsoft Dynamics CRM Online Professional Plus, Microsoft Dynamics CRM Online Professional Edition, Microsoft Dynamics CRM 2015

  • kbmbsmigrate kbsurveynew KB2899051
Feedback