TL;DR / Key Takeaways
| What Is It? | A Salesforce alert that fires when too many users' Einstein Activity Capture (EAC) connections have become disabled — meaning email and calendar sync has stopped working for those users. |
| Key Concern | Disabled EAC accounts create silent data gaps — your reps lose automatic email logging, calendar sync, and activity intelligence without realizing it. |
| Root Causes | Password changes, MFA enforcement, expired OAuth tokens, Microsoft 365/Google Workspace auth disruptions, or license/permission issues. |
| Best For | Salesforce admins, RevOps leaders, and CRM managers responsible for maintaining data quality and user adoption. |
| Bottom Line | This is a fixable issue, but ignoring it compounds fast. A structured triage process gets accounts reconnected in minutes — and proactive monitoring prevents it from happening again. |
If you're a Salesforce admin, there's a good chance you've opened your inbox to find an email from Salesforce Einstein Activity Capture with the subject line:
"Review disabled Einstein Activity Capture accounts"
The message tells you that the percentage of connected accounts that are disabled has exceeded your selected threshold — often 20%. It points you to Einstein Activity Capture settings in Setup and offers a link to Salesforce Help.
And then... nothing. No step-by-step instructions. No explanation of why accounts got disabled. No priority guidance.
That's what this post is for. We'll walk through exactly what this notification means, why it happens, and the step-by-step process to diagnose and fix it — so your team's activity data stops falling through the cracks.
What Is Einstein Activity Capture (and Why Does It Matter)?
Einstein Activity Capture (EAC) is Salesforce's built-in tool that automatically syncs emails, calendar events, and contacts between your users' email provider (Microsoft 365 or Google Workspace) and Salesforce. Instead of reps manually logging every client email or meeting, EAC captures it in the background and surfaces it on the Activity Timeline of related records.
What EAC Does
- Email capture: Automatically logs emails exchanged with contacts/leads to Salesforce records
- Calendar sync: Syncs calendar events between your email provider and Salesforce (one-way or two-way depending on configuration)
- Contact sync: Keeps contacts aligned across both systems
- Activity intelligence: Powers features like Einstein Relationship Insights and activity metrics
Why Disabled Accounts Are a Big Deal
When an EAC account gets disabled, that user's sync stops silently. They don't get a pop-up. They don't see an error. Their emails and meetings just… stop appearing on Salesforce records.
The downstream impact: - Incomplete activity data on accounts, contacts, and opportunities - Broken reporting — pipeline reports that rely on activity metrics become unreliable - Reduced AI accuracy — Einstein features that depend on activity data lose their inputs - Adoption erosion — reps who notice missing data lose confidence in the system
This is why the threshold notification exists: Salesforce is telling you that the problem has reached a scale that requires admin attention.
Why Do EAC Accounts Get Disabled?
EAC depends on a persistent OAuth connection between each user's email account and Salesforce. Anything that disrupts that connection will disable the account. Here are the most common causes:
1. Password Changes
When a user changes their Microsoft 365 or Google Workspace password, the existing OAuth token can be invalidated. EAC loses its connection and the account goes disabled.
How often this happens: Very frequently — especially in organizations with 90-day password rotation policies.
2. Multi-Factor Authentication (MFA) Enforcement
When IT rolls out new MFA requirements or changes MFA providers, existing OAuth sessions may be revoked. This is one of the most common causes of mass EAC disablements — you'll see dozens of accounts go disabled at once.
3. Expired OAuth Tokens
OAuth tokens have a lifespan. Even without password changes, tokens can expire based on your identity provider's policies. Azure AD (Microsoft Entra ID) and Google Workspace both have configurable token lifetime policies that can catch admins off guard.
4. Microsoft 365 / Google Workspace Configuration Changes
Changes to your email provider's admin settings — conditional access policies, app consent settings, API permissions, or domain-level security policies — can break EAC connections for some or all users.
5. License or Permission Issues
If a user's Salesforce license changes, or if the Einstein Activity Capture or Salesforce Inbox permission set is removed or modified, their EAC connection will be disabled.
6. Org-Level vs. User-Level Connection Conflicts
If your org uses a mix of org-level connections (service account) and individual user connections, misconfigurations or overlapping settings can cause accounts to be disabled.
7. Email Provider Outages
Microsoft 365 and Google Workspace occasionally experience outages that temporarily break OAuth connections. While these usually self-resolve, they can trigger the threshold notification.
Step-by-Step: How to Fix Disabled EAC Accounts
Here's the exact process we use when helping clients troubleshoot this issue:
Step 1: Review the Notification and Assess Scope
Open the email and note the org ID referenced. If you manage multiple Salesforce orgs, make sure you're working in the right one.
Then navigate to:
Setup → Quick Find → "Einstein Activity Capture" → Einstein Activity Capture Settings
Look for the User Connection Status section. This shows you: - Total connected users - Active connections - Disabled connections - Error details for each disabled account
Pro tip: Export the disabled accounts list. You'll want to cross-reference with recent IT changes.
Step 2: Identify the Pattern
Before fixing individual accounts, look for patterns:
| Pattern | Likely Cause |
|---|---|
| Many accounts disabled on the same date | Password policy change, MFA rollout, or provider outage |
| Only Microsoft 365 users affected | Azure AD/Entra ID configuration change |
| Only Google Workspace users affected | Google admin policy change |
| Random, ongoing disablements | Token expiration (check token lifetime policies) |
| Specific department or role affected | Permission set or license change |
Identifying the pattern tells you whether you're dealing with a one-time event (fix and move on) or a systemic issue (fix the root cause first, then re-enable).
Step 3: Fix the Root Cause (If Systemic)
If the disablements are caused by an ongoing policy issue, fix that before re-enabling accounts — otherwise they'll just get disabled again.
Common root cause fixes: - Azure AD token lifetime: Ensure refresh tokens are set to a reasonable lifetime (e.g., 90 days minimum) - Conditional access policies: Whitelist the Salesforce EAC app in your conditional access policies - Google Workspace app access: Verify that the Salesforce OAuth app is marked as "Trusted" in your Google Workspace admin console - Permission sets: Confirm that all EAC users have the appropriate permission set assigned (either "Einstein Activity Capture" or "Standard Einstein Activity Capture")
Step 4: Re-Enable Individual Accounts
For user-level connections (the most common setup):
- Notify affected users — Send a clear email explaining they need to reconnect
- Users reconnect by going to: App Launcher → Einstein Activity Capture → Reconnect (or the connected accounts page in their personal settings)
- Users re-authenticate with their Microsoft 365 or Google credentials
- Verify sync resumes — Check after 15-30 minutes that emails and events are flowing again
For org-level connections:
- Go to Setup → Einstein Activity Capture Settings
- Review the org-level connection status
- If needed, disconnect and reconnect the service account
- Re-authorize with appropriate admin credentials
- Monitor the connection status for 24-48 hours
Step 5: Verify and Monitor
After re-enabling: - Check the Activity Timeline on a few records to confirm emails and events are syncing - Send test emails to known contacts and verify they appear in Salesforce within 15-30 minutes - Monitor the disabled count over the next few days to ensure the fix holds
How to Configure the Threshold Notification
The email you received was triggered because you (or a previous admin) configured a notification threshold. Here's how to review and adjust it:
- Go to Setup → Quick Find → "Einstein Activity Capture"
- Click Einstein Activity Capture Settings
- Look for Notification Settings or Threshold Settings
- Adjust the percentage threshold (e.g., 5%, 10%, 20%) based on your org size
- Add or update the admin email address for notifications
Recommended Thresholds by Org Size
| Org Size | Recommended Threshold | Rationale |
|---|---|---|
| < 50 users | 10% (5 users) | Even a few disabled accounts represent significant data loss |
| 50-200 users | 15% | Balances signal vs. noise |
| 200-500 users | 10% | At scale, 10% means 20-50 users losing activity capture |
| 500+ users | 5% | Large orgs need early warning — 5% still means 25+ users |
Proactive Monitoring: Preventing This Email in the First Place
The best approach is catching disabled accounts before the threshold triggers. Here's what we recommend:
Weekly EAC Health Check
Create a recurring calendar item for your admin team to review EAC connection status every Monday. Five minutes of prevention saves hours of data recovery.
Coordinate with IT on Auth Changes
The single biggest cause of mass EAC disablements is uncoordinated authentication changes. Establish a process where IT notifies the Salesforce admin team before: - Password policy changes - MFA rollouts or provider changes - Conditional access policy updates - OAuth app permission modifications
Create a Re-Connection Runbook
Document the reconnection steps for your specific org (Microsoft 365 or Google Workspace, user-level or org-level) and share it with your help desk. When users report "my emails aren't showing in Salesforce," the fix should be a known, documented process.
Consider Org-Level Connections
If you're using user-level connections and experiencing frequent disablements, evaluate moving to an org-level connection using a service account. This centralizes authentication and reduces the surface area for connection failures.
Note: Org-level connections have their own trade-offs (single point of failure, different privacy considerations). Evaluate based on your organization's security requirements.
Use Salesforce Reports for Monitoring
Create a custom report that tracks EAC connection status changes over time. This gives you trend data and helps you correlate disablements with IT changes.
EAC Configuration: Microsoft 365 vs. Google Workspace
The troubleshooting steps differ slightly depending on your email provider:
Microsoft 365 (Exchange Online)
| Setting | Recommendation |
|---|---|
| Authentication | OAuth 2.0 via Azure AD (Entra ID) |
| Token Lifetime | Set refresh token to 90+ days |
| Conditional Access | Whitelist Salesforce EAC app |
| Admin Consent | Grant org-wide consent to avoid per-user approval |
| Known Issues | Recurring events can cause sync gaps; delegated calendars have limited support |
Google Workspace
| Setting | Recommendation |
|---|---|
| Authentication | OAuth 2.0 via Google Identity |
| Domain-Wide Delegation | Enable for org-level connections |
| App Trust Level | Mark Salesforce as "Trusted" in admin console |
| API Scopes | Ensure Gmail and Calendar API scopes are granted |
| Known Issues | Multiple email aliases can cause conflicts (EAC supports one active email per user) |
When EAC Isn't Enough: Knowing Your Limits
Einstein Activity Capture is a powerful tool, but it has well-documented limitations:
- One-way email sync: Emails are captured into Salesforce but can't be edited or enriched after capture
- No record creation: EAC won't create new Accounts, Contacts, or Opportunities from email activity
- Basic matching logic: The algorithm for associating emails with Salesforce records can miss matches, especially with generic email domains
- No custom object support: Activity capture is limited to standard objects
- Storage considerations: Captured activities count toward your Salesforce data storage limits
For organizations that need more robust email integration — particularly in regulated industries where compliance logging, email archival, and audit trails are requirements — third-party solutions like Riva, Cirrus Insight, or custom integrations via MuleSoft may be worth evaluating alongside EAC.
FAQ: Einstein Activity Capture Disabled Accounts
What does "Review disabled Einstein Activity Capture accounts" mean?
This Salesforce notification means that the percentage of your users whose EAC email/calendar connections have stopped working has exceeded your configured alert threshold. It's a signal that automatic activity capture has silently stopped for a significant portion of your team.
How do I check which EAC accounts are disabled?
Navigate to Setup → Einstein Activity Capture → Einstein Activity Capture Settings and review the User Connection Status section. You'll see a list of all connected users with their current status (Active, Disabled, or Error).
Why did my EAC accounts suddenly get disabled?
The most common causes are password changes, MFA enforcement, expired OAuth tokens, or changes to your Microsoft 365/Google Workspace admin policies. Look for a pattern — if many accounts were disabled on the same date, it's likely a systemic authentication change.
How do users reconnect their EAC account?
Users can reconnect by going to the App Launcher → Einstein Activity Capture and clicking Reconnect, or through their Personal Settings → Connected Accounts. They'll need to re-authenticate with their Microsoft or Google credentials.
Can I prevent EAC accounts from getting disabled?
Yes — coordinate with IT before authentication policy changes, use org-level connections where possible, set Azure AD/Google token lifetimes appropriately, and establish a weekly EAC health check routine.
What's the difference between Einstein Activity Capture and manual activity logging?
EAC automatically captures emails, events, and contacts in the background without user action. Manual activity logging requires reps to click "Log a Call," "New Event," or use the email-to-Salesforce feature. EAC reduces admin burden but has less flexibility for custom data capture.
Should I use org-level or user-level EAC connections?
Org-level connections use a single service account and are easier to maintain at scale but create a single point of failure. User-level connections give individual users control but are more susceptible to mass disablements from password/MFA changes. Most enterprise deployments benefit from org-level connections with user-level fallbacks.
Next Steps
If you're dealing with disabled EAC accounts right now, follow the step-by-step guide above to get your team reconnected. If you're looking for help managing Einstein Activity Capture at scale — or evaluating whether EAC is the right fit for your organization's compliance and data requirements — Vantage Point can help.
We've configured, troubleshot, and optimized EAC deployments across financial services firms, healthcare organizations, and enterprises of every size. Whether you need a one-time fix or ongoing managed services to keep your Salesforce org running smoothly, our senior consultants have seen (and solved) it all.
Vantage Point is a Salesforce and HubSpot consulting partner specializing in CRM implementation, integration, and managed services for regulated industries. With 150+ clients and 400+ engagements, we bring senior-level expertise to every project.
