TL;DR / Key Takeaways
| What Is It? | A Salesforce alert that fires when too many users' Einstein Activity Capture (EAC) connections have become disabled — meaning email and calendar sync has stopped working for those users. |
| Key Concern | Disabled EAC accounts create silent data gaps — your reps lose automatic email logging, calendar sync, and activity intelligence without realizing it. |
| Root Causes | Password changes, MFA enforcement, expired OAuth tokens, Microsoft 365/Google Workspace auth disruptions, or license/permission issues. |
| Best For | Salesforce admins, RevOps leaders, and CRM managers responsible for maintaining data quality and user adoption. |
| Bottom Line | This is a fixable issue, but ignoring it compounds fast. A structured triage process gets accounts reconnected in minutes — and proactive monitoring prevents it from happening again. |
If you're a Salesforce admin, there's a good chance you've opened your inbox to find an email from Salesforce Einstein Activity Capture with the subject line:
"Review disabled Einstein Activity Capture accounts"
The message tells you that the percentage of connected accounts that are disabled has exceeded your selected threshold — often 20%. It points you to Einstein Activity Capture settings in Setup and offers a link to Salesforce Help.
And then... nothing. No step-by-step instructions. No explanation of why accounts got disabled. No priority guidance.
That's what this post is for. We'll walk through exactly what this notification means, why it happens, and the step-by-step process to diagnose and fix it — so your team's activity data stops falling through the cracks.
Einstein Activity Capture (EAC) is Salesforce's built-in tool that automatically syncs emails, calendar events, and contacts between your users' email provider (Microsoft 365 or Google Workspace) and Salesforce. Instead of reps manually logging every client email or meeting, EAC captures it in the background and surfaces it on the Activity Timeline of related records.
When an EAC account gets disabled, that user's sync stops silently. They don't get a pop-up. They don't see an error. Their emails and meetings just… stop appearing on Salesforce records.
The downstream impact: - Incomplete activity data on accounts, contacts, and opportunities - Broken reporting — pipeline reports that rely on activity metrics become unreliable - Reduced AI accuracy — Einstein features that depend on activity data lose their inputs - Adoption erosion — reps who notice missing data lose confidence in the system
This is why the threshold notification exists: Salesforce is telling you that the problem has reached a scale that requires admin attention.
EAC depends on a persistent OAuth connection between each user's email account and Salesforce. Anything that disrupts that connection will disable the account. Here are the most common causes:
When a user changes their Microsoft 365 or Google Workspace password, the existing OAuth token can be invalidated. EAC loses its connection and the account goes disabled.
How often this happens: Very frequently — especially in organizations with 90-day password rotation policies.
When IT rolls out new MFA requirements or changes MFA providers, existing OAuth sessions may be revoked. This is one of the most common causes of mass EAC disablements — you'll see dozens of accounts go disabled at once.
OAuth tokens have a lifespan. Even without password changes, tokens can expire based on your identity provider's policies. Azure AD (Microsoft Entra ID) and Google Workspace both have configurable token lifetime policies that can catch admins off guard.
Changes to your email provider's admin settings — conditional access policies, app consent settings, API permissions, or domain-level security policies — can break EAC connections for some or all users.
If a user's Salesforce license changes, or if the Einstein Activity Capture or Salesforce Inbox permission set is removed or modified, their EAC connection will be disabled.
If your org uses a mix of org-level connections (service account) and individual user connections, misconfigurations or overlapping settings can cause accounts to be disabled.
Microsoft 365 and Google Workspace occasionally experience outages that temporarily break OAuth connections. While these usually self-resolve, they can trigger the threshold notification.
Here's the exact process we use when helping clients troubleshoot this issue:
Open the email and note the org ID referenced. If you manage multiple Salesforce orgs, make sure you're working in the right one.
Then navigate to:
Setup → Quick Find → "Einstein Activity Capture" → Einstein Activity Capture Settings
Look for the User Connection Status section. This shows you: - Total connected users - Active connections - Disabled connections - Error details for each disabled account
Pro tip: Export the disabled accounts list. You'll want to cross-reference with recent IT changes.
Before fixing individual accounts, look for patterns:
| Pattern | Likely Cause |
|---|---|
| Many accounts disabled on the same date | Password policy change, MFA rollout, or provider outage |
| Only Microsoft 365 users affected | Azure AD/Entra ID configuration change |
| Only Google Workspace users affected | Google admin policy change |
| Random, ongoing disablements | Token expiration (check token lifetime policies) |
| Specific department or role affected | Permission set or license change |
Identifying the pattern tells you whether you're dealing with a one-time event (fix and move on) or a systemic issue (fix the root cause first, then re-enable).
If the disablements are caused by an ongoing policy issue, fix that before re-enabling accounts — otherwise they'll just get disabled again.
Common root cause fixes: - Azure AD token lifetime: Ensure refresh tokens are set to a reasonable lifetime (e.g., 90 days minimum) - Conditional access policies: Whitelist the Salesforce EAC app in your conditional access policies - Google Workspace app access: Verify that the Salesforce OAuth app is marked as "Trusted" in your Google Workspace admin console - Permission sets: Confirm that all EAC users have the appropriate permission set assigned (either "Einstein Activity Capture" or "Standard Einstein Activity Capture")
For user-level connections (the most common setup):
For org-level connections:
After re-enabling: - Check the Activity Timeline on a few records to confirm emails and events are syncing - Send test emails to known contacts and verify they appear in Salesforce within 15-30 minutes - Monitor the disabled count over the next few days to ensure the fix holds
The email you received was triggered because you (or a previous admin) configured a notification threshold. Here's how to review and adjust it:
| Org Size | Recommended Threshold | Rationale |
|---|---|---|
| < 50 users | 10% (5 users) | Even a few disabled accounts represent significant data loss |
| 50-200 users | 15% | Balances signal vs. noise |
| 200-500 users | 10% | At scale, 10% means 20-50 users losing activity capture |
| 500+ users | 5% | Large orgs need early warning — 5% still means 25+ users |
The best approach is catching disabled accounts before the threshold triggers. Here's what we recommend:
Create a recurring calendar item for your admin team to review EAC connection status every Monday. Five minutes of prevention saves hours of data recovery.
The single biggest cause of mass EAC disablements is uncoordinated authentication changes. Establish a process where IT notifies the Salesforce admin team before: - Password policy changes - MFA rollouts or provider changes - Conditional access policy updates - OAuth app permission modifications
Document the reconnection steps for your specific org (Microsoft 365 or Google Workspace, user-level or org-level) and share it with your help desk. When users report "my emails aren't showing in Salesforce," the fix should be a known, documented process.
If you're using user-level connections and experiencing frequent disablements, evaluate moving to an org-level connection using a service account. This centralizes authentication and reduces the surface area for connection failures.
Note: Org-level connections have their own trade-offs (single point of failure, different privacy considerations). Evaluate based on your organization's security requirements.
Create a custom report that tracks EAC connection status changes over time. This gives you trend data and helps you correlate disablements with IT changes.
The troubleshooting steps differ slightly depending on your email provider:
| Setting | Recommendation |
|---|---|
| Authentication | OAuth 2.0 via Azure AD (Entra ID) |
| Token Lifetime | Set refresh token to 90+ days |
| Conditional Access | Whitelist Salesforce EAC app |
| Admin Consent | Grant org-wide consent to avoid per-user approval |
| Known Issues | Recurring events can cause sync gaps; delegated calendars have limited support |
| Setting | Recommendation |
|---|---|
| Authentication | OAuth 2.0 via Google Identity |
| Domain-Wide Delegation | Enable for org-level connections |
| App Trust Level | Mark Salesforce as "Trusted" in admin console |
| API Scopes | Ensure Gmail and Calendar API scopes are granted |
| Known Issues | Multiple email aliases can cause conflicts (EAC supports one active email per user) |
Einstein Activity Capture is a powerful tool, but it has well-documented limitations:
For organizations that need more robust email integration — particularly in regulated industries where compliance logging, email archival, and audit trails are requirements — third-party solutions like Riva, Cirrus Insight, or custom integrations via MuleSoft may be worth evaluating alongside EAC.
This Salesforce notification means that the percentage of your users whose EAC email/calendar connections have stopped working has exceeded your configured alert threshold. It's a signal that automatic activity capture has silently stopped for a significant portion of your team.
Navigate to Setup → Einstein Activity Capture → Einstein Activity Capture Settings and review the User Connection Status section. You'll see a list of all connected users with their current status (Active, Disabled, or Error).
The most common causes are password changes, MFA enforcement, expired OAuth tokens, or changes to your Microsoft 365/Google Workspace admin policies. Look for a pattern — if many accounts were disabled on the same date, it's likely a systemic authentication change.
Users can reconnect by going to the App Launcher → Einstein Activity Capture and clicking Reconnect, or through their Personal Settings → Connected Accounts. They'll need to re-authenticate with their Microsoft or Google credentials.
Yes — coordinate with IT before authentication policy changes, use org-level connections where possible, set Azure AD/Google token lifetimes appropriately, and establish a weekly EAC health check routine.
EAC automatically captures emails, events, and contacts in the background without user action. Manual activity logging requires reps to click "Log a Call," "New Event," or use the email-to-Salesforce feature. EAC reduces admin burden but has less flexibility for custom data capture.
Org-level connections use a single service account and are easier to maintain at scale but create a single point of failure. User-level connections give individual users control but are more susceptible to mass disablements from password/MFA changes. Most enterprise deployments benefit from org-level connections with user-level fallbacks.
If you're dealing with disabled EAC accounts right now, follow the step-by-step guide above to get your team reconnected. If you're looking for help managing Einstein Activity Capture at scale — or evaluating whether EAC is the right fit for your organization's compliance and data requirements — Vantage Point can help.
We've configured, troubleshot, and optimized EAC deployments across financial services firms, healthcare organizations, and enterprises of every size. Whether you need a one-time fix or ongoing managed services to keep your Salesforce org running smoothly, our senior consultants have seen (and solved) it all.
Vantage Point is a Salesforce and HubSpot consulting partner specializing in CRM implementation, integration, and managed services for regulated industries. With 150+ clients and 400+ engagements, we bring senior-level expertise to every project.