PrivilegeDenied error occurs when using Server-Side Synchronization
This article provides a solution to a PrivilegeDenied error that occurs when you use Server-Side Synchronization in Microsoft Dynamics 365.
Applies to: Microsoft Dynamics CRM
Original KB number: 4015092
Symptoms
When using Server-Side Synchronization in Dynamics 365, you receive the following error after selecting Test & Enable Mailbox:
"Appointments, contacts, and tasks can't be synchronized for the mailbox <Mailbox Name> because the mailbox user doesn't have sufficient permissions on this mailbox.
Email Server Error Code: Crm.80040220.PrivilegeDenied"
Cause
This error will appear if the user associated with the mailbox record doesn't have sufficient privileges to use Server-Side Synchronization.
Resolution
Modify the user's security role to include the missing privilege. When you select the Details section, it should include the name of the missing privilege. In the example below, the user is missing the read privilege for the Email Server Profile entity.
T:331ActivityId: <GUID>>Exception : Unhandled Exception: Microsoft.Crm.Asynchronous.EmailConnector.ExchangeSyncException: Failed to update the sync state : Unhandled Exception: System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=8.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: Principal user (Id=<GUID>, type=8) is missing prvReadEmailServerProfile privilege (Id=<ID>)Detail: <ID> -2147220960 Principal user (Id=<GUID>, type=8) is missing prvReadEmailServerProfile privilege (Id=edebe6f6-cf2e-45...
For a list of privileges that may be required to use Server-Side Sync, see the More Information section.
More information
The following table lists privileges required to use Server-Side Synchronization and the tab in a security role where the privilege can be found. A user with the System Administrator role can locate and modify a security role by navigating to Settings, Security, Security Roles. To view which role(s) are assigned to a specific user, navigate to Settings, select Security, select Users, select the specific User record, and then select Manage Roles.
Privilege name | Entity | Location (tab) within security role |
---|---|---|
prvReadEmailServerProfile | EmailServerProfile | Business Management |
prvWriteMailbox | Mailbox | Business Management |
prvReadMailbox | Mailbox | Business Management |
prvReadOrganization | Organization | Business Management |
prvSyncToOutlook (exchangesyncidmapping | Outlook | Business Management --> Privacy-related privileges |
prvReadActionCard | ActionCard | Core Records |
prvDeleteActivity | Activity | Core Records |
prvAppendActivity | Activity | Core Records |
prvWriteActivity | Activity | Core Records |
prvCreateActivity | Activity | Core Records |
prvReadActivity | Activity | Core Records |
prvAppendToActivity | Activity | Core Records |
prvReadConnection | Connection | Core Records |
prvAssignContact | Contact | Core Records |
prvReadContact | Contact | Core Records |
prvWriteContact | Contact | Core Records |
prvCreateContact | Contact | Core Records |
prvDeleteContact | Contact | Core Records |
prvReadUserQuery | Saved View | Core Records |
prvReadQueue | Queue | Core Records |
prvReadQuery | View | Customization |
prvReadIncident | Case | Service |
prvSearchAvailability | Service Management --> Miscellaneous Privileges | |
prvOverrideCreatedOnCreatedBy | Service Management --> Miscellaneous Privileges |