Exchange Online cross-tenant authentication
Use server-side synchronization to synchronize Exchange Online mailboxes that reside on different Exchange Online tenants. Follow the steps in this topic to complete the prerequisites before you set up an Exchange Online server profile that uses Oauth cross-tenant authentication. More information: Create an email server profile for Exchange Online
Note
The following limitations apply to connecting cross-tenant:
- Dynamics 365 App for Outlook is not supported.
- Approval of Dynamics 365 mailbox records must be performed by a global tenant admin or an Exchange admin of the primary tenant.
Configuration
Sign in to the Azure portal, create the app registration, and then configure the email server profile.
Register your app
Register your app on the Azure portal on the tenant where Exchange Online resides. To create the app registration, follow the steps in Register an application.
Note
You don't need to enter anything for Redirect URI because it's not needed.
When you register your app, note the Application (client) ID and Directory (tenant) ID; you'll need this information later to configure the email server profile.
Add a client Secret
A client secret is a string value your app uses to identity itself. It's used by Dynamics 365 to authenticate to your app.
To create a client secret, follow the steps in Add a client secret. Remember to note the Secret Value, because you'll need this information later to configure the email server profile.
Add API permissions
To allow your app to have access to Exchange Online, you need to grant Office 365 Exchange Online API permission.
Select API permissions > Add a permission.
Select the APIs my organization uses tab, and then select Office 365 Exchange Online.
For type of permissions, select Application permissions, and then select the checkbox for full_access_to_app. When you're done, select Add permissions.
Note
If it doesn't align with your business requirements to have an app with full access on all mailboxes, the Exchange Online admin can scope the mailboxes that the app can access by using Application Access Policy or configuring the Application Impersonation role on Exchange. More information:
On the Configured permissions screen, select Grant admin consent for tenant name.
In the confirmation dialog, select Yes.
Email server profile for Exchange Online with authentication type Oauth (Cross Tenant)
To create an email server profile for Exchange Online that uses Oauth (Cross Tenant) authentication, you need to collect the following information from the Azure portal:
- TenantId: The tenant ID of the tenant where Exchange Online is configured
- Application ID: The app ID used by Dynamics 365 to connect to Exchange Online
- Client secret: The client secret value used by Dynamics 365 to authenticate as the app