How to connect Dynamics CRM 2016 On Premise to Exchange Online
I then prepared the x509 certificate required for the server-side authentication. In particular:
- I logged on to the CRM Server as an administrator, run MMC and added the Certificates snap-in. When prompted I chose Computer Account and, then, Local Computer.
- Under the Personal certificate storage I located the wild card certificate and exported it twice. The first time I set not to export the private key to obtain a DER encoded binary X.509 (.cer) certificate that I saved to a .cer file under the C:\ folder as c:\Personalcertfile.cer. Then I exported the same certificate along with the private key (to obtain a .pfx file) keeping the default options and duly noting the password for a later import. The .pfx file was saved as c:\Personalcertfile.pfx
Installing Microsoft Online Services Sign-In Assistant for IT Professionals Beta was not required as it was already there while I had to set up the Azure Active Directory Module for Windows PowerShell (64-bit version).
According to the guide I located the CertificateReconfiguration.ps1 file and started the Azure Active Directory Module for Windows PowerShell moving to the file path. I launched exactly the commands on the guide:
$CertificateScriptWithCommand = “.\CertificateReconfiguration.ps1 -certificateFile c:\Personalcertfile.pfx -password THEPWDNOTEDABOVE -updateCrm -certificateType S2STokenIssuer -serviceAccount DOMAINNAME\USERNAME -storeFindType FindBySubjectDistinguishedName”
Invoke-Expression -command $CertificateScriptWithCommand
Please note that THEPWDNOTEDABOVE was the password I chose when I exported the .pfx certificate. DOMAINNAME\USERNAME is the credential of the administrative single user I used to carry out the configuration.

Certificate preparation result
Configuration
The actual configuration was pretty straightforward. I was all about locating and launching the ConfigureCrmServerSideSync.ps1 script with the right parameters.
Parameter |
Description |
---|---|
rootDomainName | The server url as configured in the IFD (without https://) |
privateKeyPassword | THEPWDNOTEDABOVE |
cerFilePath | c:\Personalcertfile.cer created above |
pfxFilePath | c:\Personalcertfile.pfx created above |
organizationName | The name our CRM organization. |
O365AdminEmail | The Office 365 tenant email address ALIAS@DOMAIN.onmicrosoft.com |
I was prompted for the ALIAS@DOMAIN.onmicrosoft.com and the rest of the process was completed by the script.
Conclusions
Once performed the steps above, our CRM was ready for the server side (Hybrid) configuration.
In CRM, I created an email server profile going to Settings > Email Configuration > Email Server Profiles.
I then clicked New > Exchange Online (Hybrid). The tenant ID was already there and I only had to set a meaningful name for the profile.
With the server profile in place I configured the existing mailboxes to use the newly created profile. For each mailbox I selected test and enable.
Esteban Gomez
Thanks for the post!
Do you know the sentense for update an existing connection?
Thanks in advance
Mike Zielke
Have you had to renew the SSL cert for the hybrid connector?
Roland Pongracz
I’m also interested if you had to renew it how you did it. Thx.
Joe CRM
Do you have to perform an iisreset or restart any of the CRM services after running the script?