{Quick Tip} Restrict To Lookup of email to allow only a record in Dynamics 365

Nothing like real time requirements and here is another one. Customer walks in and puts in his requirement – “Users should not be able to select more than one record in the To field of CRM”. We suggested that while sending the email, we would put a validation which would stop the user from sending the email if more than one record is there. Well as everybody knows, more often than not, customer has his way and then we were back to the drawing boards trying to figure out how to do it.

For starters, To field in Dynamics allows you to select more than one record of multiple entity types which is obvious isn’t it. Below is the UI which allows you to do that.

image

 

Fortunately we found out a way. This is what we did.

  • Created a solution. Added Email entity and the To field to it.
  • Exported the solution
  • Unzipped the solution and opened up customizations.xml file in a XML editor.
  • Navigated to the area where To attribute is there in the XML file.

image

  • Added the below in the XML file just above <displaynames> tag.

<LookupStyle>single</LookupStyle>

  • Re-zipped the files. Imported the solution back and Publish all customizations.
  • And now when you click the To field, this is what you get.

image

 

Mission accomplished!

Hope this helps.

 

Debajit Dutta

(Dynamics MVP)

For training/ consulting, please write to us at info@xrmforyou.com

Advertisements

{Quick Tip} Restrict From Lookup in Dynamics 365 email to only queue–Without addCustomFilter or Unsupported Jscript

This is an old topic which is getting discussed since CRM 2011 or I think even before that. You must be wondering, why I am digging out history here. Well there has been so many blogs written about this.

So what’s the problem statement here?

Recently my customer wanted that whenever an email is being sent from Dynamics, it only needs to be sent through Queues. In other words in the From Lookup of the email, the user should not be able to select self or any other user from CRM.

So there are basically two steps to it. Since from is a multi-entity lookup, it shows both the user and queue when user tries to select.

So the first thing needed is to stop the user from selecting the user entity and the next is to stop the user from selecting any user record in from.

To achieve the first problem statement, so many blogs have been written but they use unsupported Javascript to meddle with the UI element and disable the dropdown. We will not do that here.

The other option, supported way, is to use the addCustomFilter. But with that, even though you stop from selecting a user, still the Entity selection of User/ Queue is available.

So wanna try something new? Let’s do this.

  • Create a solution and add the Email entity to it. While adding the entity, to keep the solution simple, just add the from field to it (only for CRM 2016 and above. Prior versions, you are not luck to choose the options)
  • Export the solution as Unmanaged
  • Unzip the solution. You should see three file
    • Customization.xml
    • Solution.xml
    • [Content_types].xml
  • Open the Customization.xml in a XML editor of your choice and navigate to the section where the From field is present.

image

  • You may find the unmodified=”1” in the attribute element as well as Email entity element. Remove the tags. Otherwise any changes you make here may not reflect in CRM once you import back.
  • Scroll down a bit and you will see the section with the LookupType tag.

image

  • Remove the entire element corresponding to 8 (Type code for user). Your final XML should just contain the one LookupType tag with Queue (2020).
  • All set and done, select the three files and re-zip them

image

  • Re-import the solution and publish all customizations.
  • Now go back to your CRM email. Try to select “from”. And get the delight. Now entity selection is disabled and you are just left with selecting the queue.

image

Headless Authentication with Dynamics CRM online and External Web App which requires Client Secret

As promised, I am back to my second post on this topic. In my previous post, I showed you on how to generate Authorization token of D365 online from Native Console App using the Client_ID.

https://debajmecrm.com/2018/04/29/headless-authentication-with-dynamics-crm-online-web-api-without-user-login-screen-without-using-adal-part-i/

We did that using simple HttpWebRequest and Response and did not use the ADAL (Active directory authentication library) as well.

Well, let’s dive deep here. Nothing big in my previous topic as the same thing can be done using ADAL and in a clean way as well. Then why use that construct?

We are talking of headless authentication here which means authentication without user intervention. Using ADAL, it was fine to generate the token from a Native console APP using the Client ID. However situations become complex when we try to do the same from an external Web Application which required the Client_Secret as well for generating the token.

So I created a ASP.NET web application and registered in Azure. I got the client id and client secret after registering the Web App. How to do that? Well you have many wonderful blogs out there and I am not going to repeat the same.

Now comes the code part. Below is the code for the same. Look at highlighted line to check how I am passing the client id and client secret

My CRM URL is – https://xrm4u1.crm.dynamics.com

 

public string GetCRMToken()
{

var azureTenantId= “xrm4u1.onmicrosoft.com”;
var clientId = “<client id of the Web app after registering in azure>”;

var clientSecret = “<client secret of the Web App after registering in azure>”;
var requestUrl = string.Format(@”
https://login.microsoftonline.com/{0}/oauth2/token”,
azureTenantId);

var url = “https://xrm4u1.crm.dynamics.com”;
            var userName = “<username>”;
var password = “<password>”;

            // Connect to the authentication server

            var request = (HttpWebRequest)WebRequest.Create(requestUrl);
request.Method = “POST”;

            using (var reqStream = request.GetRequestStream())
{
var postData = string.Format(@”client_id={0}&client_secret={1}&resource={2}&username={3}&password={4}&grant_type=password”,
clientId, clientSecret,url, userName, password);

var postBytes = Encoding.ASCII.GetBytes(postData);
reqStream.Write(postBytes, 0, postBytes.Length);
reqStream.Close();
}

            var accessToken = default(string);
using (var response = (HttpWebResponse)request.GetResponse())
{

var stream= response.GetResponseStream();
if (stream!= null)
{
var reader = new StreamReader(stream);
var json = reader.ReadToEnd();

              // Here I am using Newtonsoft.json

                    var dict = JsonConvert.DeserializeObject<Dictionary<string, object>>(json);
accessToken = (string)dict[“access_token”];

                }
}

            return accessToken;

        }

And delight is when you get the access token back. Now with the access token in your hand, you have the trump card. You can query Web API and what not.

Great isn’t it? To be honest with my readers, after this method without using ADAL worked out in my previous post, I just tried out sending the client secret in exactly the same way and it worked like a charm. Serendipity you can say!

Hope this helps.

Debajit Dutta

(Dynamics MVP)

For corporate training/ consulting please write to us at info@xrmforyou.com

Headless Authentication with Dynamics CRM online Web API – Without using ADAL {Part-I}

Well this topic has been discussed again over multiple times. And I myself has written a blog on how to do a headless authentication (without user intervention) between Dynamics CRM Online Web API and Native APP (console APP) – https://debajmecrm.com/2016/06/21/dynamics-crm-web-api-login-authentication-screen/

If you go through the above post, I have used ADAL (active directory authentication library) to query the authorization token and then use the authorization token to query the Dynamics CRM Web API. However there is a catch to this.

This headless authentication was only possible with Native APPs (console APPs) since they just required Client ID’s and does not require the Client Secret to actually generate the token. And hence I was not able to use this method to get the token from a Web Application which would require the Client_Secret.

And while I was doing a training session on this recently, I was asked the question. Is there really no way? Is ADAL absolutely necessary?

Well that sparked me. I decided to spend some time and dig deep. I tried to extend the AcquireToken method of ADAL but to no use. A lot of digging and finally came up with this.

This is Part-I of this blog. Here I will first show you how to get the token from D365 online from a Native App like C# console APP. In the next blog I will show you how we can extend this to use for client_secret as well.

My CRM URL – https://xrm4u1.crm.dynamics.com

I am not going into detail on how to register an APP in azure and give it access to Dynamics CRM. There are so many wonderful blogs which explains in detail. Below is the code to just obtain the token with using any external libraries (ADAL or anything)

public string GetCRMToken()
{

var azureTenantId= “xrm4u1.onmicrosoft.com”;
var clientId = “<client id of the console app after registering in azure>”;
var requestUrl = string.Format(@”
https://login.microsoftonline.com/{0}/oauth2/token”,
azureTenantId);

var url = “https://xrm4u1.crm.dynamics.com”;
            var userName = “<username>”;
var password = “<password>”;

            // Connect to the authentication server

            var request = (HttpWebRequest)WebRequest.Create(requestUrl);
request.Method = “POST”;


            using (var reqStream = request.GetRequestStream())
{
var postData = string.Format(@”client_id={0}&resource={1}&username={2}&password={3}&grant_type=password”,
clientId, url, userName, password);
var postBytes = Encoding.ASCII.GetBytes(postData);
reqStream.Write(postBytes, 0, postBytes.Length);
reqStream.Close();
}

 

            var accessToken = default(string);
using (var response = (HttpWebResponse)request.GetResponse())
{

var stream= response.GetResponseStream();
if (stream!= null)
{
var reader = new StreamReader(stream);
var json = reader.ReadToEnd();

              // Here I am using Newtonsoft.json

 

                    var dict = JsonConvert.DeserializeObject<Dictionary<string, object>>(json);
accessToken = (string)dict[“access_token”];

                  

                }
}

            return accessToken;

        }

 

Smooth isn’t it? No reference to ADAL. Just simple HttpWebRequest and response.

Hope you liked this.

In the next blog I will show you how to extend this to even include client secret and get the token even from a Web application, which so many has been longing for sometime now.

 

Debajit Dutta

(Dynamics MVP)

For corporate training/ consulting please write to us at info@xrmforyou.com

{Quick Tip} Certificate disappearing in IIS of CRM server even after successful import.

Before I proceed with the post. let me clear this out. There is nothing special about IIS server where CRM is installed. It applies to all IIS servers. However being a devotee of Dynamics for quite sometime now, can’t write any post without tagging CRM to it. Smile

So here I was working for a client with on-premise 2016 version. And their certificate is about to expire. They needed to generate a CSR for a SAN Certificate as wildcard certificates are not allowed by most of company policies.

So they used Open SSL to generate the CSR. For reader’s who might be interested in knowing how to generate SAN Certificate using Open SSL, https://geekflare.com/san-ssl-certificate/ provides a good example. And they got the certificate back from the Network team.

Now the D-day. They imported the certificate in Personal store and  also imported the certificate in IIS using ‘Complete Certificate Request’ option. All set and good.

But the moment they try to bind the certificate to dynamics CRM site, they could not find the certificate. Repeated this process. However the same behavior every time.

A bit of research and this is what comes up – “Certificate without private Key Information in it, cannot be binded to a IIS website.”

But how to do it?

When you generate a CSR request using Open SSL, the private key is output to a file. Usually the name is “Private.Key”, unless you specified something else.

So you have the private key and the certificate separately. But how to bind the certificate with the Private key?

Follow the below steps

  • Copy the Private Key file and the certificate to the Open SSL bin folder. Usually is it C:\OpenSSL-Win64 for 64 bit machines and C:\OpenSSL-Win32 for 32 bit machines
  • Open command prompt as administrator and navigate to the bin folder in the command prompt.
  • Run the below command

openssl pkcs12 -export -out certificate.pfx –inkey private.key -in certificate.crt –certfile

Here Certificate.pfx in the output certificate with the private key information and certificate.crt is the certificate you received from Network team.

Once the command completed successfully, you should be able to view Certificate.pfx in the bin folder.

Now all set and done. You will now just need to import this certificate to the IIS. But remember to use the “Import” option in the certificate window.

image

 

A rather off topic but hope it makes an interesting read.

 

Debajit Dutta

(Business Solutions MVP)

For corportate training/ consulting, please drop a note to info@xrmforyou.com or visit our website – www.xrmforyou.com

{Quick Tip} Why is my workflow not showing up in Workflow Profiler in Plugin Registration Tool

Recently I was conducting a training where I was demoing on how to debug a Custom Workflow activity step using the profiler in plugin registration tool. So here I was explaining to them to first click on “Profile Workflow” button on the plugin registration tool. For starters, here it is in the screenshot below

image

image

And as I said – “Select your workflow”, I suddenly see a hand raised informing me that he is not able to view the workflow created by him.

Verified with all other’s and they are able to see the their respective workflows.

I just thought – “Must be some silly error.” But I was soon to be proved wrong.

Situations like this could be tough when asked all of a sudden. But my memory didn’t reach came to my rescue this time. I realized that while playing with the workflow, he has changed the owner of the workflow to someone else. And hence the workflow is not showing up in the workflow profiler.

So remember, if you are profiling a workflow, make sure the user with whom you have logged in to Plugin Registration Tool and the the owner of the workflow, should be the same person. Otherwise the workflow won’t simply appear in the ‘Profile Workflow’ list.

Hope this helps and saves you some time before you waste couple of hours in this.

 

-Debajit Dutta (Dynamics MVP)

For corporate training/ consulting, visit www.xrmforyou.com or write to us at info@xrmforyou.com

{Dynamics 365 Security Nuances} Can a user work with only team roles in Dynamics 365

Recently I was conducting a training in Dynamics 365 where I got the same question. Just a quick thought and the answer that comes to mind is “Yes”. After all,

a user’s security role is the sum of the security roles directly assigned to the user + sum of the roles the user derives through it’s association with the Teams (provided teams are given security role)

And here I was, where a user is belonging to a team and the team has a security with all the right privileges assigned to make the user work in Dynamics.

When I assigned the role directly to the user and the user is not part of the team, it just worked fine. Now comes the other way round. I remove the user’s security role, assign the same security role to a team and add the user to the team.

image

As you can see, the security role is having pretty much everything to access this account.

Login screen below after the user logged in.

image

 

Looks awesome isn’t it. The user can see accounts as expected. Just when you think that you have won the hearts of participants with your awesome understanding of Dynamics, Dynamics would throw a stick or two at you.

So I clicked on Account and this is what I get below.

image

That facepalm moment where you are just thinking, what just happened?

Now time for some recovery. When I click on Advanced find and try to access accounts, I could see them just fine.

image

 

You can even create/ read/ write and do all the fancy stuffs as per the role privilege.

Now I just did this trick. I just created a dummy role with absolutely no privilege to any entity and added it to the user. And this time when I click on Sales –> accounts, it just works fine.

 

So next time when you are up to this, this can save you some awkward moments. Not sure if this a bug or expected behavior but it seems the problem is only with the Home Page grid. Even if I try to read/ write accounts with the user credentials programmatically using SDK, it works fine.

For the home page grid to work, it requires a role to be assigned directly to the user.

 

Debajit Dutta (Dynamics MVP)

For training/ consulting, please write to us at info@xrmforyou.com or visit our website www.xrmforyou.com