Loading

Salesforce Lightning Sync FAQ

Julkaisupäivä: Mar 6, 2026
Kuvaus
Note:  Lightning Sync: Not Available for New Customers in Winter ’21

For general information about Salesforce Lightning Sync, please review Lightning Sync

Lightning Sync provides three ( 3 ) Connection Methods depending on your Email Server, which lets you sync your Contacts and Calendar from either systems or both depending on the sync configurations settings:
 
 
Choose whether you’d like to connect Microsoft Exchange to Salesforce using an Exchange service account, or OAuth 2.0, and then set up that connection. Both choices use Exchange Web Services (EWS) behind the scenes, and both of these choices are the best-in-class, secure connections that Microsoft recommends for 3rd party integrations like Lightning Sync.

To learn more, please review:

Or watch our Salesforce YouTube video:
Ratkaisu


Here are answers to specific questions you may have about working with Salesforce Lightning Sync:

1. Why Office365 Global Administrator Role is Required for OAuth 2.0 Setup?

If you're not familiar with OAuth 2.0, start by reading the The OAuth 2.0 Authorization Framework.

As you can see from the Lightning Sync set up page, when the global admin account is requested for authentication, we actually redirect the user to the Microsoft O365 login page. The credentials are never provided to Lightning Sync and Salesforce is never aware of what the credential is, i.e. this credential is never stored in the Salesforce organization and it never used in subsequent connections to O365. Rather, an OAuth token, which does not contain the credentials, is used after the initial OAuth setup in the form of one-time consent to the OAuth authentication.

As part of initial phase of the OAuth 2.0 flow, it installs Lightning Sync's multi-tenant Azure app (called 'Salesforce Lightning Sync') into the Azure instance, which can be visible in active directory portal here. By doing so, the Azure global admin is consenting that the Lightning Sync application can obtain an OAuth token that can access users' mailboxes via EWS(Exchange Web Services).

Note that the purpose of this procedure is to register the application into the customer's AD in their Azure tenant, and for Lightning Sync to obtain the tenant ID from Azure. The Azure global admin does not need to be a syncing user, nor does the admin gain any 'powers' by logging into Azure, nor does this give impersonation rights for the admin; they are merely installing the application into their Azure tenant. The application will remain installed and will continue to function in perpetuity, even if the admin changes their password, or leaves the company.

To learn more about Lightning Sync enterprise app architecture and design, please read:
Azure Active Directory v2.0 and the OAuth 2.0 client credentials flow 
Client credentials overview documentation
Building Daemon or Service Apps with Office 365 Mail, Calendar, and Contacts APIs

Below are few more points which explains the access or permission used by Lightning Sync:

  • Allows the app to have full access via Exchange Web Services to all Mail Exchange User Accounts without a signed-in User.
  • Allows users to sign in to the app, and allows the app to read the profile of signed-in Users. It also allow the app to read basic company information of signed-in users.
  • At setup time, your O365 admin enters Azure password into Microsoft Azure AD site not in Salesforce.
  • Salesforce stores oAuth 2.0 token and not the credentials.
  • Microsoft's implementation of the OAuth 2.0 'client-credentials grant flow' protocol does not provide a way for the customer to scope which mailboxes the client can access, therefore the token that Lightning Sync obtains from Azure can access all Office Mail Exchange User Accounts without the need of having individual User to authenticate.
  • Data in transit through Lightning Sync is fully encrypted via SSL and not being shared by any third-party.
  • If the O365/Azure admin decides to revoke the access, the admin can uninstall the application from the Azure portal and the Lightning Sync service will no longer be able to obtain a token.
  • In the event that a user is deactivated in O365 or within Salesforce (or is removed from an active Lightning Sync config), we no longer sync Events and Contacts for that User.
 
Note: Lightning Sync utilizes only Calendar and Contacts Read/Write permission on User Mailbox Account and do not read/scan emails. Lightning Sync only attempts to make EWS API calls for Users who are assigned to active Lightning Sync configuration (not to entire User-base present on Exchange server).
 

2. What happens if we change the password or downgrade the Office365 Global administrator role to 'User (no administrator access)' or if we delete that Global administrator once established the connection using OAuth 2.0 for Microsoft Exchange?

Nothing will change, Lightning sync connection will remain established, as the access token is reused rather than refreshing to a new token.
   
Note: Once the global administrator has consented and installed the application into their tenant, Lightning Sync can obtain a token to access Users' mailbox Accounts in that tenant, via EWS API's.


3. What will happen if we change the password of Exchange Service account once established the connection using 'Service Account for Microsoft Exchange?'

You have to resupply the credentials of the Exchange service account into Salesforce Lightning sync setup, otherwise the records sync will not work.
 

4How does Lightning Sync store Exchange service account's password when using Connection Method: 'Service Account for Microsoft Exchange?'

Lightning Sync asks service account's name and password in Visualforce page and saves the password in encrypted form using cryptographic hash function inside database leveraging the existing 'encrypted field' feature in Salesforce, which also provides a key management mechanism. Lightning Sync uses these encrypted credentials to communicate with the exchange through EWS and Autodiscovery services following the SSL encrypted connection and never passes the plain-text, but hash output. The application hashes the provided password and compares it to the stored password.
The credentials are stored in a three-layer key storage scheme, which is PCI Compliant.


5. Can we sync events in both directions using Lightning Sync?

Yes, you can sync Events both ways using Lightning Sync with any available connection methods. Refer to Event sync directions available in Configuration when using Lightning Sync for more information.
 

6. Can we sync the Events created through API/backend tools using bi-directional sync from Salesforce to Exchange?

Yes, starting from Winter'19 release, Events created from API/backend will sync automatically based on reps’ existing sync configurations.


7. Can we sync the Events we created from Outlook Integration add-in or Gmail Integration chrome extension through Quick Actions (Publisher Actions) using Lightning Sync?

Yes, any Events which are created from Outlook Integration add-in or Gmail Integration will also be synced from Salesforce to Exchange (Google) calendar using Lighting Sync.

Note: The Events which are created from side panel (Email Application Pane) using Quick Publisher Actions will be synced. The Events which are added using 'Add Event' button will also be synced if you specify which Exchange/Google Events sync to Salesforce by setting 'Events users select' on Sync configuration.


8. Which Salesforce license types does the Lightning Sync support?

Lightning Sync is available for Sales/Service Cloud (Salesforce), Lightning Platform and Force.com User licenses. Depending on the objects that are available through the license, reps can sync Contacts, Events, or both between their Microsoft applications and Salesforce.

Note: Events are synced for the Salesforce Users with Lightning Platform - Salesforce Platform, Lightning Platform - OneApp or Lightning Platform App Subscription licenses. Contact sync isn’t supported for Lightning Sync customers working from the user license Lightning Platform - One App. Lightning Platform - One App doesn’t include the Contacts object. Lightning Platform Starter and Lightning Platform Plus license types do not support both Events and Contacts sync.
 

9. What is the difference between Event Attendees and Event Invitees in Salesforce, and can we sync them from Salesforce to Exchange?

Lightning Experience offers event attendees, which are similar to event invitees in Salesforce Classic, with a few differences.

  • Invitees don’t require any setup, and users can - view, invite, or manage event invitees on their events in Salesforce Classic. Salesforce will send the meeting invitation on behalf of User to event invitees, where invitees have option to respond by clicking on Respond to This Request button and response gets captured in Salesforce. Invitees also have option to add the .vcs file to their Outlook, and Salesforce User has option to click on Add to Outlook button from Salesforce Event to place the meeting. Refer Scheduling and Invitations in Salesforce Classic.
  • Syncing attendees require setting-up Lightning Sync by an administrator which let Users view, invite, or manage Event attendees in Lightning Experience and Salesforce for iOS and Android. ​Refer to Event Attendees Sync​ and Considerations for Using Events and Calendars in Lightning Experience​ to know more about this topic.
 

10. Why do I not see the standard 'Attendees' field in Salesforce Events?

Attendees field is only available when you meet the below criteria:

  • Salesforce administrator has to enable the Lightning Experience (LEX) in Salesforce organization.
  • In Lightning Experience and the Salesforce app, Users get the 'Attendees' field when administrators add it to Event page layouts, compact page layouts, or quick actions layouts. The Attendees field isn’t available on the Activity Timeline.
  • For syncing attendees, Administrator have to set up Lightning Sync using any connection method with the 'Sync Both Ways' or 'Salesforce to Exchange/Google' sync direction, so Events are syncing between Salesforce and Users’ Microsoft®/Google calendars.
If you meet above criteria and still do not see the standard Attendees field on Events object, check if you had setup Lightning Sync using Service Account for Microsoft Exchange earlier and have beta (legacy) bi-directional (sync both way) sync enabled for Events. Log a Support Case with Salesforce to disable the beta feature, which will automatically enable the Attendees field on your organization.

Note: Though users see 'Attendees' field on the Lightning Experience Event page layout, the attendees' sync will not work as expected if the Org has beta (legacy) bi-directional sync perms enabled.
 

11. What is the frequency of syncing the events and contacts using Lightning Sync?

Depending on multiple internal and/or external factors (which includes User base and number of records in sync), initial sync could take time ranging from 48-72 hours or even more. Once initial sync is completed, every newly created record will be synced in minutes. However, syncing can take up to a day or more in some cases:

  • When many users are set up to start syncing around the same time
  • When sync is pending for a significant number of contacts
  • NOTE: Lightning Sync will sync 50k Contacts and 50k Events.

Review Contact Sync and Event Sync.
Log a Support Case with Salesforce if you see major delays in syncing of records.
 

12. Does Lightning Sync support Multi-factor authentication?

2-factor authentication will not work with Lightning Sync because the sync engine runs as a service. Currently Outlook Multi-factor Authentication is not supported with Lightning Sync service account method. As a workaround, disable Multi-factor authentication for just the service account. Please refer to Set Two-Factor Authentication Login Requirements for more information.
 

13. What do I need to know about the best practices to be followed while setting up Lightning Sync?

  • Always conduct a testing with small user-base in sandbox first before rolling out solution in production.
  • Every new organization on which you configure Lightning Sync, it will always be treated as first time sync and could take time ranging from 48-72 hours or even more (depending on several internal and/or external factors). 
  • When setting up Lightning Sync from scratch, always enable 1 User for syncing first, and then gradually increase the Users in multiple slots. 
  • Make no frequent changes to Active Configurations including adding/removing User's/profiles, changing the sync direction, changing the data-set, deleting/re-creating configurations, adding same User's again to new configurations, etc. 
  • Do not add profiles to Lightning Sync Configuration which have inactive Users (Users who are not active) or contain Users with email addresses not belonging to synced domain/exchange - this results in picking those users every time in multiple cycles and generate error in our server. 
  • Do not perform 'Reset Sync' for Users in case of slow sync or for any functionality issues. Only Reset Sync when you see nothing syncs for specific User or the User is not being picked for syncing even though the connection test passes. Reset Sync will clean all records and start sync from scratch.
  • Do not enable/disable Lightning Sync, change the Connection method, or frequently change the credentials of Service Account (if using Service Account method). These actions can result in performance issues, no sync, lost in backend mapping, duplication of records, etc.
  • Take precautions before performing the mass or bulk update of Events or Contacts records in Salesforce, this can result in updating/over-riding the records in counter-part system depending on sync direction and data-set settings. This could also result in creating duplicates and sending event update notifications (if attendees are present).
  • If you migrate your exchange server, make any changes to point towards different servers or move mailbox accounts - the unique mapping id/relationship id between the Outlook and Salesforce Events will be lost/corrupted. In this scenario, you will get duplicates entries in either system or both depending on sync direction. To avoid the duplicates, make sure you maintain different calendar folders for moved data in exchange side and have main calendar blank for syncing with Salesforce. It is also advised to disable Lightning sync during such activities on Exchange server.

14. How does Events and Attendees (Meeting participants) along with their responses sync from Microsoft/Google calendar to Salesforce using Lightning Sync?
When an organizer (sync user) invite people to events from Microsoft/Google calendar, Salesforce Lightning Sync first picks those events and creates a parent event record within Salesforce assigning it to Salesforce User (Organizer). Later, it searches for the User, Lead or Contact records within Salesforce, matching with email addresses of invited people (meeting participants). When it finds matching records in Salesforce, it associates them on 'Attendees' field of created Event record with preference (in scenario where invited people email address matches with more than one record in Salesforce) given first to Users, then to Leads, and last to Contacts.

If there are more than one sync User in Lightning Sync configuration and organizer creates an internal meeting inviting other sync Users as meeting participants, then Lightning Sync will create a parent event (for Organizer) and child events (for each sync User participants) in Salesforce. The parent event will be assigned to Organizer of Event, and the child Events will be assigned to each User who are part of meeting. All parent and child events will contain same information along with 'Attendees' field value, but on all the Event records, 'Created By' field will show the organizer name. When Salesforce Organization Admin searches the Event record with its subject, then he will see multiple records having same information, but each of them will be assigned to separate Users.
The attendees’ responses sync too in Salesforce when they either 'Accept', 'Decline' or mark 'Maybe' on the invitation received to them. Such responses are first updated on meeting Organizer's Microsoft/Google calendar, and then it gets synced to Salesforce event record showing the status under 'Attendees' field against each participant.

NOTE: With Lightning Sync Microsoft/Gmail is responsible for sending out Event invitations and  updates to Attendees not Salesforce.

To better understand this scenario, refer to below explanation.
User A creates an Event in Microsoft/Google calendar and invites 4 people - 2 are Users, 1 is Contact and 1 is Lead records in salesforce. Assume that both 2 Users are also syncing with Lightning Sync (part of active Lightning sync configuration). When the event is synced using Lightning Sync:
  • Salesforce will create 3 Event in Salesforce - 1 parent event assigned to Organizer: User A, and other 2 child events assigned to other participating users (say User B and User C).
  • On all the 3 events, entire information will be exactly same, but 'Created By' field will show the User A name.
  • Attendees field value will show User A (organizer), User B, User C, Contact A and Lead A (assuming Contact and Lead email addresses matches with salesforce Contact and Lead records). Attendees field will also show the responses from each participant.
  • In same scenario, if User B declines the meeting, then a child event will be deleted which was assigned to User B and only 2 events will remain. The Attendees field will show User A, User C, Contact A and Lead A invitation responses as 'Accepted' and for User B it will show 'Declined.'
Refer to Event Attendees Sync article to know more about the attendees sync limitations and considerations.

Note: If a non-syncing User (i.e. the User who does not belong to Lightning Sync configuration) creates a meeting in Salesforce as Organizer and invites syncing Users (i.e. the Users who are assigned to Lightning Sync configuration) as Attendee's, then those child Events will not be synced on Attendees Outlook/Google calendar i.e. Salesforce -> Exchange direction. Refer article on Considerations for Syncing Events.

15. Can we add custom filed mapping using Lightning Sync (or) can Category field in Exchange be mapped to any other field in Salesforce like Type or any other field?

No, it's not possible to add custom field mapping using Lightning Sync as Lightning Sync runs as service, if a field (ex: Category) in Lightning Sync for Exchange setup is not available in the UI, it's simply not available for mapping.
 

16. Does Lightning Sync support a Hybrid Office 365 and on-Premise Exchange deployment?

No. Hybrid deployments having Exchange Mailboxes located in multiple servers are not presently supported. Lightning Sync requires to have Mailboxes either on Exchange Online or on-Premise Exchange server, both servers can't be supported for syncing.

Lightning sync is an organization level setup running on servers, and on one Salesforce organization you can only authenticate one Exchange server. Thus, you cannot use multiple Exchange servers from Salesforce side.

If your exchange is running on a hybrid setup, they can put all the different exchange server mailbox accounts into single DAG (forest) and use Service Account connection method to achieve this, but it requires an expert Exchange server administrator to do a job.

If you have simply purchased 2 different Office 365 tenant with pure Exchange Online, there’s no possibility to achieve this, and only workaround to purchase 2 Salesforce organization tenants for each Office 365 tenant and setup Lightning sync. Refer to "Lightning Sync System Requirements" for more information.
 

17. Does Lightning Sync support syncing with Email 'Alias' address and 'Distribution List/Group' address?

No, Lightning Sync requires a Primary Mailbox address having Calendar and Contacts folder access to sync the records. If you are using 'Alias' or 'Distribution List' or 'Shared Group' Mailbox/Email Address, the syncing may not work, and Salesforce will not be able to provide support for them.

 

18. Why do events deleted from Salesforce not get deleted from Outlook?

One of the reasons for this is the fact Lightning Sync does not support Salesforce to Exchange (Outlook) delete of events for orgs that have the legacy "BiDi sync (Beta)" permission enabled. In order to delete events from Salesforce to Exchange, this permission needs to be disabled. Please reach out to Salesforce Support for help in disabling this permission for your Salesforce org.

 

19. Why are the time of Events in Salesforce Calendar does not match in the Outlook Calendar?

When syncing Events using Lightning Sync, Windows and Salesforce must have the same time zone set up. When they are different, Salesforce will display the users timezone settings. This results in Events showing an hour or two delayed or advanced.

 

20. If users are also assigned to an active Salesforce for Outlook sync configuration, while assigned on the Lightning Sync configuration at the same time, how will the user sync objects?

Salesforce gives sync preference to objects syncing with Einstein Activity Capture or Lightning Sync. However, because Salesforce gives preference by object, not by configuration type, either or both features can sync your reps’ Microsoft® items. See How Salesforce Manages Sync Conflicts Between Products.

21. Will Event Owner changes cause a sync?

Only changes made directly on the event will cause a sync. Event ownership change due to ownership change of related records will not sync.

Knowledge-artikkelin numero

000382000

 
Ladataan
Salesforce Help | Article