Follow my blog for more interesting topics on Dynamics 365, Portals and Power Platform. For training and consulting, write to us at info@xrmforyou.com
Lately I have been working a lot on Dynamics 365 portals a lot and also delivering some trainings on the same. Don’t get much of a chance to work on Dynamics 365 portals (previously ADX portals), but when I get an opportunity, I make sure I don’t miss it.
And as I have been conducting training on CRM portals, I come across a lot of questions on Authentication of Dynamics 365 portals with external identities like Azure Active Directory/ Google/ Facebook. In the interest of my blog reader I have decided to pen down in detail on how to configure for such scenarios.
This blog will be a two part series. In this blog I will show you from scratch on how to set up Authentication of your Dynamics 365 portals with Azure Active Directory. In the next part I will show from scratch on how to set up the same with Google account.
First things first.
Launch a trial of Customer Portal for your Dynamics CRM. It’s pretty easy and I assume you know this. If not there are plenty of awesome articles which show on how to do the same. One such being – http://dynamicscrmcoe.com/install-dynamics-365-portals/
Ok. So we have our CRM portal set-up.
The following are my details:
Portal URL – https://xrmtr1.microsoftcrmportals.com
CRM URL – https://xrmtr50.crm8.dynamics.com
The first time when you launch the portal and try to sign in, you would be presented with a screen like below.
Because we are going to register the user with Azure AD, so click on the Register Tab.
Ok. So we already have a button called ‘Azure AD’ for registering the user. However as I told you, we will do it from scratch. So we will place our own custom button which when clicked will authenticate with our azure Active Directory. And in case you might be wondering, the Azure active directory will be a different domain than our Dynamics CRM domain (xrmtr50.onmicrosoft.com) for which the portal is configured.
So lets go with the set-up.
Step – 1 : Register your Dynamics 365 Portal application with Azure Active directory.
Login to your Azure subscription using https://portal.azure.com and search for Azure Active Directory
Click on App Registrations and then ‘New Application Registration’
Enter the details as required.
Name of the application – “Customer Portal Identifier”. This can be your any name you desire.
Application Type – Select Web app/ API
Sign-on URL – Enter the url of your D365 portal. In my case it is https://xrmtr1.microsoftcrmportals.com
Click on the Create Button.
Once done, you should see your App being listed here.
Click on the Application. You could see the Application ID. Note it down. We are going to use it later.
Click on Endpoints.
Take your federation metadata URL.
The federation metadata URL would look like below.
https://login.windows.net/95564beb-4dc8-43c2-bdda-12cea2056346/federationmetadata/2007-06/federationmetadata.xml
Remove the federation metadata URL and note the remaining URL. It would be in this format. https://login.windows.net/95564beb-4dc8-43c2-bdda-12cea2056346
Note it down. We are going to use it in the Next step.
Step 2: Setting up the Site Settings to Authenticate with our custom Azure AD.
Open your CRM and go to Portal –> Site Settings.
Click on New to Create a New Site Setting.
Carefully observe the name field – Authentication/OpenIdConnect/Azure AD Custom/Authority. The highlighted part in bold is your custom provider name that you want to show up in the portal.
In the value field, we have put the URL we got from the previous step.
Save & Close this.
Click new to create a new Site Setting
Here we are putting the Client ID. Put the same Client ID that we got when we registered our CRM Portal with Azure AD.
Now click again for a last time to create a new Site Setting and enter the below information.
Here we are setting the Redirect URL. This is URL which will be called back once the authentication is successful. In this case it’s our D365 Portal.
Save & Close.
So we are all set.
Now come to the login screen again and voila! Your new button is right there.
Click on the button. And you would be redirected to the login screen.
Once you enter the credentials of a user who belongs to your Azure Active Directory, you are registered in the portal
You will be asked to accept.
Once done, you will be logged in.
Wonderful isn’t it.
In my next post I would be walking in depth to configure your D365 portals with Google account. Here is the link for the same.
https://debajmecrm.com/dynamics-365-portal-authentication-with-external-identities-part-ii-authentication-with-google-account/
Hope you like this.
Debajit Dutta
(Dynamics MVP)
(Visit our products page – http://www.xrmforyou.com/products-1.html to know more about our offerings)
Hi Debajit,
Is it possible for CRM to authenticate against multiple directories? We have internal users who will need to use our CRM instance, as well as external. They will need to be fully licensed users. There will be around 1000 external users across 30 different organisations – any ideas on the best way to manage these accounts?
Thanks
Hi Jay Harper. Sorry for the late reply as I am mostly on the road these days. I assume this might be tricky. Crm can be set-up to trust multiple directories using ADFS. However coming to ADX portal it can accept SAML endpoint however redirecting based on who is logging in might be diffucult. I haven’t tried it though. I will give it a shot though.
Hi Jay Harper,
You can create Azure AD Guest Accounts which can be added in the CRM Contact List and assign roles to them.
Regards
Sohail Raza
Hi Debajit, This was really helpful. I have a question on Self Registration using Azure AD, how can we create an Approval process for registration request and user should get Portal access only after Request is approved?
Hi Siddhartha,
Thanks.
I will try this scenario and keep you posted on this.
-Debajit
Hi Debajit,
The Sign up page of my ADX customer portal always prompts an error every time I click on it, I have uninstalled and reinstalled the portal severally but the problem persists. This is really frustrating as customers can not easily sign up. Please I would appreciated any suggestion to help solve this.
Hi Chris,
Could you help me with the error u r getting
Here it is;
” We’re sorry, but something went wrong. Error ID # [ad76f312-5c39-4a9e-b465-5f80e35b2765]
Exception of type ‘System.Web.HttpUnhandledException’ was thrown.
We’ve been notified about this issue and we’ll take a look at it shortly. Thank you for your patience ”
The above errorr comes up every time i click on the register tab of the sign in page.
Hi Chris,
Sorry for the delayed reply as I was travelling. Check for the below settings in CRM -> Portal – Site Settings
Authentication/Registration/OpenRegistrationEnabled. This should be set to true
Additionally you can have Authentication/Registration/InvitationEnabled and Authentication/Registration/EmailConfirmationEnabled as true/ false depending on the requirement.
-Debajit
Hi Debajit,
Thanks for a very interesting post. I have a question for you I haven’t find an answer for yet. Do you know if it is possible for a contact in crm to use their “azure ad guest account” in our domain to login to our dynamics 365 portal?
H Tobias,
Thanks for reading my blog post. I think so it is possible using the Azure AD B2B Collaboration. Basically the idea is to send an invitation as guest user to the contact from Azure AD and when the contact redeems it, seamlessly a Azure AD Account will be created from them.
-Debajit
Hi Chris,
Yes it is possible to create Guest Accounts from your Azure AD and once they accepted the invitation; a Microsoft account will be created in your Azure AD Portal which Your AAD Admin/License Admin personnel will utilize to assign the License of the required products.
Regards
Hi Debajit, a most educational post. We are currently looking into setting up SSO for AX Operations, for a customer with an Azure Ad fully synched with their On-Prem Ad… no luck so fare. Any experiencs with this you could share with us?
\\Per-Erik
Hi Per-Erik,
I hope it got resolved. In case not, could you please let me know about your single sign on architecture, is it federated?
-Debajit
Hi Debajit,
I have configured Azure AD B2C for one of my client’s portal, all seems to work ok except the registration, the registration is happening in 2 steps.
1. Sign in with Invitation code
2. Sign up for Azure B2C via Manage External authentication.
If i directly try to signup with B2C, sign up is successful but it redirects me to redem page to enter invitation code. Do you have any idea to make this signup process into single step, we need Azure B2C authentication.
Thanks
Debajit,
Thank you for a great post. I went through it and it worked without any issue.
I wonder if you can answer my question. I have created another login button but now I don’t need it and so I have deleted all the entries from CRM and Azure AD. However, the button remains even I clear the cache.
Do you know what I need to do to remove it?
Thanks,
Hajime
Seems weird. Hope you deleted the site settings. However if you want to disable external authentication altogether do this. https://debajmecrm.com/2017/06/15/dynamics-365-adx-portals-using-site-setting-to-disable-external-authentication-in-dynamics-365-portals/. However I still believe its cache issue.
Debajit,
Thank you for your quick reply with the information. It is corrected by disabling entire external authentication then enabling it back. It’s strange but the system must captured the site setting and didn’t release until you forced to go through re-evaluation (checking external login setting by disabling and enabling it).
Well, it is fixed and good to know how to solve the issue.
Thank you so much!!!
Hajime