PrivilegeDenied error occurs when using Server-Side Synchronization

This article provides a solution to a PrivilegeDenied error that occurs when you use Server-Side Synchronization in Microsoft Dynamics 365.

Applies to:   Microsoft Dynamics CRM
Original KB number:   4015092

Symptoms

When using Server-Side Synchronization in Dynamics 365, you receive the following error after selecting Test & Enable Mailbox:

"Appointments, contacts, and tasks can't be synchronized for the mailbox <Mailbox Name> because the mailbox user doesn't have sufficient permissions on this mailbox.
Email Server Error Code: Crm.80040220.PrivilegeDenied"

Cause

This error will appear if the user associated with the mailbox record doesn't have sufficient privileges to use Server-Side Synchronization.

Resolution

Modify the user's security role to include the missing privilege. When you select the Details section, it should include the name of the missing privilege. In the example below, the user is missing the read privilege for the Email Server Profile entity.

T:331ActivityId: <GUID>>Exception : Unhandled Exception: Microsoft.Crm.Asynchronous.EmailConnector.ExchangeSyncException: Failed to update the sync state : Unhandled Exception: System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=8.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: Principal user (Id=<GUID>, type=8) is missing prvReadEmailServerProfile privilege (Id=<ID>)Detail: <ID> -2147220960 Principal user (Id=<GUID>, type=8) is missing prvReadEmailServerProfile privilege (Id=edebe6f6-cf2e-45...

For a list of privileges that may be required to use Server-Side Sync, see the More Information section.

More information

The following table lists privileges required to use Server-Side Synchronization and the tab in a security role where the privilege can be found. A user with the System Administrator role can locate and modify a security role by navigating to Settings, Security, Security Roles. To view which role(s) are assigned to a specific user, navigate to Settings, select Security, select Users, select the specific User record, and then select Manage Roles.

Privilege name Entity Location (tab) within security role
prvReadEmailServerProfile EmailServerProfile Business Management
prvWriteMailbox Mailbox Business Management
prvReadMailbox Mailbox Business Management
prvReadOrganization Organization Business Management
prvSyncToOutlook (exchangesyncidmapping Outlook Business Management --> Privacy-related privileges
prvReadActionCard ActionCard Core Records
prvDeleteActivity Activity Core Records
prvAppendActivity Activity Core Records
prvWriteActivity Activity Core Records
prvCreateActivity Activity Core Records
prvReadActivity Activity Core Records
prvAppendToActivity Activity Core Records
prvReadConnection Connection Core Records
prvAssignContact Contact Core Records
prvReadContact Contact Core Records
prvWriteContact Contact Core Records
prvCreateContact Contact Core Records
prvDeleteContact Contact Core Records
prvReadUserQuery Saved View Core Records
prvReadQueue Queue Core Records
prvReadQuery View Customization
prvReadIncident Case Service
prvSearchAvailability Service Management --> Miscellaneous Privileges
prvOverrideCreatedOnCreatedBy Service Management --> Miscellaneous Privileges