Summary:

An error can occur when setting up an Exchange integration against an Exchange 365 instance.

The following error will be logged to the ewaresystem.log:

Aug 6 2013 11:22:55.325 904 3740 5 ERROR: checkExchangeUserEmail
 CODE: 0
 URL : http://CRMSERVER/sdata/crmExchangeSyncEngine/crmExchange/-/$service/checkExchangeWebSiteAvailability?url_ews=https%3A%2F%2Foutlook.office365.com%2FEWS%2FExchange.asmx&user_ews=administrator@yourdomain.onmicrosoft.com&password_ews=%26HGBMDJMEAJBABICGICHCJEFGKEJHDJBO&domain_ews=&crmuser=Admin
 MSG : <CheckExchangeResponse><errorMessage>Invalid credentials, com.sage.scrm.syncengine.exchange.ews.service.error.SageExchangeServiceException: javax.xml.ws.soap.SOAPFaultException: The account does not have permission to impersonate the requested user.</errorMessage><httpStatus>401</httpStatus></CheckExchangeResponse>

Checking the CXF logs confirms that this error message is being returned by the remote Exchange server.

By default, the administrator account created when setting up your Office 365 instance will be added to the ApplicationImpersonation role. However, a timeout may occur during setup, resulting in the above error.


Resolution:

In order to add your impersonated user account to the ApplicationImpersonation role, you'll need to connect to your Exchange Online instance using PowerShell.

You should already have a copy of PowerShell installed on your client - you don't need to install the Exchange remote Powershell tools. The following commands can be carried out from any machine with PowerShell installed.

Run the following  commands:

Set-ExecutionPolicy Unrestricted

You will need to confirm that this setting should be enabled.

$LiveCred = Get-Credential

At this point, you're prompted to enter your user credentials. Enter the credentials for the Office 365 account you wish to use as the CRM impersonated user on Exchange.

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection

Import-PSSession $Session

Enable-OrganizationCustomization

This command may take a few moments to complete.

New-ManagementRoleAssignment -Name:"CRMImpersonation" –Role:"ApplicationImpersonation" –User:administrator@yourdomain.onmicrosoft.com

The last command will be familiar if you've ever set up the Exchange integration on an Exchange 2010 on-premise install. Since we're updating Active Directory, your changes will likely take a few minutes to apply, even though the response from PowerShell will indicate that the user role assignment is complete.

 Alternative Resolution: 

To do this through the UI on Office365 Wave 15:

  1. Login to the Office 365 Exchange Admin Center.
  2. Select "Permissions" from the navigation tree.
  3. Click on "Admin Roles".
  4. Click the "+" Icon to add a new role.
  5. In the role group dialog box Provide a name for your Role Group (ie. "CRM_Impersonation").
  6. Under Role click the "+" icon to add an RBAC Role.
  7. Select ApplicationImpersonation", click "add ->" and then click OK.
  8. Under Members click the "+" icon to add a new member to the RoleGroup.
  9. Select your admin user account that will perform the migrations, click "add ->", and then click OK.
  10. Click Save.