Tip #903: Scribe Insight error after Dynamics 365 upgrade

This tip of the day comes to us from Alexandros Miaris. (And you can send us your tip to jar@crmtipoftheday.com.

After a recent upgrade to Dynamics 365, we received the “metadata contains a reference that cannot be resolved” error message when trying to connect to Dynamics from the latest version of the Scribe Insight Workbench.

This issue was discovered by Scribe after version 7.9.2 of Insight was released, and a Hot Fix is now available. If you experience this issue, contact Scribe support and request Hot Fix ScribeInsight792_HF1

Tip #902: Can I use both the Dynamics 365 Outlook Client and Outlook App?

As we have covered extensively on CRMTOD, the new Dynamics 365 App for Outlook is a great lightweight CRM experience for Outlook and will probably be the CRM interface for Outlook of choice for most users going forward.

But what if you like the new app and want to use it, but you still occasionally may need some functionality offered by the Outlook client. Some examples:

  • People who need offline CRM access
  • People who sometimes need functionality that isn’t available with the new
  • People who like to browse CRM folders from within Outlook
  • CRM consultants and trainers who need to demonstrate both options

A personal example–I like the experience of the new app when tracking an individual email, but I miss the ability to bulk track multiple emails with a single click, like I can do with the Outlook client. But I want to use the Outlook app from Outlook on my phone.

Shortly after the Dynamics 365 release, users reported, and my testing confirmed, that the Outlook Client would become disabled if the CRM was enabled. On a whim, this week I tested again and reinstalled the latest version of CRM for Outlook. Based on my testing, I can now simultaneously run both the Outlook Client and the new Outlook app. Bring on the belt and suspenders.


 

Tip #901: Restricting access to your instance revisited

We’ve been hosting Dynamics CRM/365 instances for our customers since CRM 4 days but lately they have been moving to Dynamics 365 Online in drones (awesome – now I can sleep at night!). Some have been hesitant because we were using geo-restrictions for their instances (implemented in a supported way). Digging into why it was done in a first place: majority of the customers just wanted to restrict access to their instances outside the workplace.

Good news is that this kind of restrictions can now be implemented for Dynamics 365 Online using trusted IP rules. It will cost you a bit extra, e.g. last time I checked, Azure AD Premium would set me back $7 per user per month in one of the top 2 countries in the world.

The most important caveat is that, unlike on-premises approach, IP restriction is only enforced during user authentication.

But for most of the customers, ease of configuration, ability to enforce MFA outside of work, federation with on-premises AD for even more control, and device-based conditional access policy easily outweigh the limitations.

For more security goodness, consider auditing user access that has been part of Dynamics 365 / CRM since version 2011.

Tip #900: Check custom roles if users can’t see the app

This tip is from Rocky “Road” Sharma.

What if you watched the video on App Designer, applied custom security roles to your app and now your users can’t see the App? If you are using custom security roles and create Dynamics 365 Apps for teams/departments in your organisation, the app may not appear in the list of Apps for the user even if all the correctly security roles are assigned to the App.

That could be due the missing Read Privilege on App entity, that you need to add to the user’s security role in the Customization tab.

Read privilege on app entity

 

Tip #899: If email gets rejected check for duplicate addresses

tl;dr

When incoming email gets rejected, check if you have records in mail-enabled entities (contacts, accounts, queues, and system users OOB) using the same email address.

I’ve done this today

  • Set up a hybrid server-side sync for a customer. (There are some gaps in the docs, this is a recommended reading companion.)
  • Add a support queue and a mailbox for support@foobar.com
  • Set Convert Incoming Email to Activities to “All email messages”
  • Approve email
  • Test & enable mailbox. Inbound – success, outbound – success)
  • Test it myself: outbound email works like a charm, inbound email gets delivered to the support mailbox but not to the queue. Er?

So I’ve done a bit more:

  • Permissions – all good – I’m admin
  • Workflows – none

Time to troubleshoot:

  • Open Settings > Email Configuration > Server-Side Synchronization Monitoring – Mailbox Errors trace shows up lots of error code 29 entries – “incoming email rejected”. I can see that – you’re NOT helping, error log!
  • Boogle the problem. Yep, people reported it here, here, here, and here, and here. No definite resolution.
  • All hail on-premises – enable tracing.

ErrorCode: -2147218683, InnerException: Microsoft.Crm.CrmException: At least one system user or queue in the organization must be a recipient
at Microsoft.Crm.Common.ObjectModel.EmailService.FindBestOwner(AddressManager addressManager, TrackingInfo trackingInfo, AddressEntry[][] allResolvedAddressEntries, String traceSubject, Int32& ownerObjectTypeCode, ExecutionContext context)

Now, that is interesting, because, even with the glasses on (not that I need any just yet), I can see the queue with the support@foobar.com email address. Read forum entries a bit more closely. That one has couple people reporting the issue caused by inactive queue having the same email address.

But I don’t have any other queues? Wait a minute! What about other records? I’ll be damned, there is a contact support@foobar.com created at around the same time as I was tinkering with the mailbox. Delete the contact, test again – everything works!

Theory

I’m the owner of the mailbox so my personal email setting will apply
Personal options - email
When mailbox is tested, system will send email to support@foobar.com from, you guessed it, support@foobar.com. Mailbox is not approved yet so the sender is not known, the system goes ahead and creates a contact, according to my settings.
Then the system decides to resolve the recipient, and finds two addresses. Wouldn’t be a problem but there is a new organization-level setting that allows unresolved recipients:
Organization settings for unresolved
With the recipient unresolved, CRM throws an exception (see above).

This is just a theory, of course, but the problem is real and resolution is real – check for duplicate emails in mail-enabled entities in your organization, and make sure to check the inactive records too.

Tip #898: Delegate tracking and server side synchronization

tl;dr

Delegate tracking of contacts and appointments does not work with server-side synchronization or with the new Dynamics 365 Outlook app.

Read more

Consider the scenario where the company owner, Ms. Bigwig, wants her appointments and contacts tracked in CRM, but she is too busy to maintain her calendar herself, so she has her assistant add items to her calendar and contacts and then track them in CRM.

According to the official documentation, “If you’ve delegated access to your Outlook account, the delegate can track items on your behalf.” So delegate tracking is possible. However, what the documentation (currently) does not state is that delegates tracking contacts and appointments on your calendar will not work if your mailbox uses server side synchronization or if you or the delegate are using the new Outlook app.

For delegates to track items on your calendar, you must be using Outlook synchronization for contacts, appointments, and tasks. In the scenario of Ms. Bigwig, she can have her assistant track things in her mailbox, but these items will not synchronize to CRM until Ms. Bigwig logs into Outlook. If she travels and does not open Outlook for two weeks, the delegate tracked items won’t appear in CRM until the next time she opens Outlook.

Alternative approach

So if you want to use server side synchronization and you want delegates creating or updating Outlook items, an alternative approach to delegate tracking is to have the assistants create items directly in CRM and assign them to Ms. Bigwig. These items will then synchronize to the boss’ calendar immediately via server-side synchronization.

Tip #897: Alternate key, duplicate data, and solutions: part 2

The alternate key saga did attract some attention and we received the definite say from Brandon Simons, who’s probably as close to the proverbial Dynamics 365 metal as it gets.

tl;dr

Alternate keys can be in an inactive state when the definition is created but the unique index is not. These pending keys can be reactivated using solutions UI in Dynamics 365.

Read more

The best part of the tip deserves a direct quote from Brandon

… feel free to just take credit for yourself as well!

Which is exactly what I’m going to do. Sit back, relax, and enjoy.

Alternate keys are kind of created sync and asynchronously. The synchronous part is just the definition of the alternate key, but the alternate key does not become “active” until the index has been created asynchronously. If a solution is imported that creates an alternate key on a column that has duplicate keys then the solution will import, but the key won’t be active until the data is cleaned up.

The reasoning behind this is that we don’t want to hold up the solution import process as creating the index can take a long time. Also, failing the import isn’t ideal as this is something that is generally pretty easy to fix on the target instance after the solution has been imported. After the alternate key definition is created you will see the key is actually in pending state while the async processing completes:
Pending key
Here is a screenshot where you can view and retry creating the alternate key index if you run into a failure:
Reactivate pending key

Tip #896: Don’t get blacklisted by blasting emails from Dynamics 365

Today we welcome to the jar Steve “Mr SMB” Mordue. (And you can submit your tips too by emailing them to jar@crmtipoftheday.com.)

tl;dr

Don’t use Dynamics 365 to blast marketing emails because in worst case scenario either your email server will get blacklisted or you will be suspended / banned from the email service. Instead, use services of the bulk email providers.

Steve has the mic

The other day, this post popped up on my Twitter feed. It seems some poor soul got his organization on an email blacklist by sending bulk emails through CRM.

It is a common misconception, particularly with SMB customers, that CRM can be used for sending email blasts or newsletters, or even Spam. But this will cause problems like those experienced by the poster. Why?

Dynamics CRM is not an independent email system. Email sent from Dynamics CRM will go through your Exchange Server, either on-premise or online, as the user who created it. If too many of your recipients mark your message as Spam, or if your bounce rate (invalid email addresses) is too high, you run the risk of being added to an RBL (Realtime Blackhole List). This is a list of IP addresses whose owners refuse to stop the proliferation of spam. The RBL usually lists server IP addresses from ISPs whose customers are responsible for the spam and from ISPs whose servers are hijacked for spam relay. As subscribers to the RBL, ISPs and companies will know from which IP addresses to block traffic. Most traffic blocking occurs during the SMTP connection phase. The receiving end will check the RBL for the connecting IP address. If the IP address matches one on the list, then the connection gets dropped before accepting any traffic from the spammer.

Note that this not only effects your ability to send Spam, but since this went through your Exchange Server, it could affect anyone in your organization’s ability to send any email. So this is not something to mess around with. Getting yourself off of the RBL takes quite a bit of work, and in the meantime, your organization could be at a standstill.

So how do you safely send bulk email from CRM? By utilizing a third-party service like ClickDimensions, Mailchimp, Constant Contact or others. Email sent via these services goes through their servers. They spend the effort to keep their IPs off of RBLs, or take steps to get them off if they are added.

Does this mean you can Spam with abandon? Nope, each of these services will require you to confirm that you have a relationship with the people on your mailing list. If it turns out that you don’t, or too many people are unsubscribing, or marking your email as spam, they will kick you off of their service.

BTW, Spam is illegal. Each separate email in violation of the CAN-SPAM Act is subject to penalties of up to $40,654, so non-compliance can be costly. You should review this Guide before launching any sort of bulk mail campaign.

Q & A Session

Tipp Jaar: does using Hosted mail servers mitigate this risk? I’ve heard anecdotally that using O365 or gmail for your email it reduces the risk of getting blacklisted because the emails won’t all come from the same IP addresses

Steve:I guess if those servers use dynamic IPs, maybe, but I could not say for sure. I suspect, if spamming, you would probably get kicked off of those services also, unless they were servers in Russia.

Tipp Jaar: Or used by White House staff…

Tip #894: Alternate key, duplicate data, and solutions

tl;dr

If you have duplicate values present in a field, creating alternate key on that field will fail. However, when a solution that includes alternate key is imported into the deployment where duplicates are present, the import does not fail and completes with the warning indicating that alternate key was not created.

Long story

Not every day you hear that kind of statement from Neil “New CRM Release – New Country” Benson

Well that’s embarrassing…

Long story short, Neil was trying to create an alternate key but kept receiving the message:

The error message on the system job to create the alternate key and index is:
The CREATE UNIQUE INDEX statement terminated because a duplicate key was found for the object name 'dbo.foobar_departmentBase' and the index name 'ndx_for_entitykey_foobar_deptkey'. The duplicate key value is (BARBAZ).

If you get this error, it means that you have more than one record with the value BARBAZ in the field selected for the alternate key.

Sounds simple enough, right? Until Jonas “Surströmming MkII” Rapp chimed in:

On the same topic – I created a similar key to prevent duplicates in my dev env. Exported solution and imported to test. There were duplicates in test, so I expected solution import failure. But the solution imported fine, I just got a warning that the index could not be created.

So failing import of some solution components/properties generate “import failed” while others only generate “import succeeded with warning”. There might be a reason for this that I am currently unaware of, but the inconsistent behavior worries me. At least until I know the good reason.

After some light debate, David “British Scientist” Jennaway gave us all if not a good reason then at least a very solid explanation:

I can see why some things result in warnings, and some in errors. My take on this is that anything that fails solely due to data in the destination (e.g. this example, and an invalid reference to a record in a workflow) is more likely to be a warning.