Server-side sync is the integration that everyone forgets is an integration until it stops working. When it does, executives notice within an hour because emails stop tracking. Here is the debugging order that beats random clicking.
Step 1: confirm the mailbox is actually approved
Half of all sync failures trace back to a mailbox that was never approved or that lost approval after a credential change. Check Settings -> Email Configuration -> Mailboxes and look for Email Server Profile and Approve Email.
PowerShell (D365):
Get-CrmMailbox -EmailAddress [email protected] | Select-Object
EmailRouterAccessApproval, AllowEmailCredentialsEntryByUser,
IncomingEmailDeliveryMethodStep 2: check the alerts table directly
Approval succeeds, sync still fails. The system logs alerts on the mailbox itself. Check Settings -> Email Configuration -> Mailboxes -> Alerts. The most common alerts:
- “Tracking categories cannot be updated” -> Exchange retention policy is blocking category writes.
- “The credentials are incorrect” -> Conditional Access blocking the connection.
- “Email Server Profile location is incorrect” -> Hybrid Exchange routing changed.
Step 3: test mailbox
Use the “Test & Enable Mailboxes” action. This runs a synthetic send/receive against the configured mailbox. The result flips IncomingEmailDeliveryMethod and OutgoingEmailDeliveryMethod to Server-Side Synchronization if successful. Failure here always points to either credentials or Exchange-side throttling.
Step 4: check the sync schedule
Server-side sync polls Exchange. The poll frequency is controlled by MaxConcurrentConnectionsPerOrganization and the sync cycle. If you have 10,000 sync-enabled mailboxes and the default settings, you are way under-provisioned. Microsoft caps concurrent connections per environment.
Step 5: appointment sync is its own beast
Email sync can succeed while appointment sync fails. The reason is almost always the Tracking Token mismatch on calendar items propagated by an EWS-aware mobile app rewriting the body. Disable “Use tracking token in email” if your environment has heavy mobile calendar usage.
Step 6: the Conditional Access trap
Microsoft Entra Conditional Access policies that require MFA for “all cloud apps” will block the service principal that sync uses. Exclude the Dynamics 365 Server-Side Sync service principal explicitly, or scope CA by IP for the Power Platform regional IP ranges.
Common false positive
A user reports “my email did not track.” Check the email itself first: was it sent from the M365 web client to a recipient that exists as a contact in CRM? If not, sync is doing exactly what it should. The tracking conditions are non-obvious to end users.
What to do this week
Schedule a weekly job that pulls mailbox rows where processingstatecode = 1 (failure) and posts the count to your monitoring channel. Treat it as an SLO.
