The following must be available and configured before the installation process begins.
|1||Create an Office 365 user as the Work 365 service account (ie. email@example.com)||This must have a Dynamics 365 Customer Engagement license assigned, and MFA enabled.|
|2||User in step 1 requires temporary Global Admin permissions.||The Global Admin permissions for this user is only required for the consent process and can be unassigned after the consent has been completed.|
|User in step 1 requires the System Administrator role in Dyn 365.||Users must log into CRM using the Work 365 Service Account credentials to install and complete the consent process for Work 365. Once these steps are completed the System Admin security role can be removed.|
|4||Enable the English Language in CRM||Work 365 supports multiple languages; in the backend infrastructure, English is required. Enabling English as a language in CRM ensures all backend processes can run without issues.|
|5||Installing Work 365||Login to CRM as the Work 365 Service Account to install the application. Note the Service Account will need temporary System Administrator permissions to complete this task.|
|6||Work 365 Service account should have the ‘Work 365 Admin’ Field Security Profile assigned.||After Work 365 is installed and the consent completed, assign the Field Security Profile. Certain privileged fields are secured in Work 365 using a Dynamics 365 Field Security Profile called ‘Work 365 Admin’. Steps detailed here.|
|7||Work 365 Service Account should have Work 365 Sales security role Assigned||After Work 365 is installed and the consent completed, assign the Work 365 Sales security role to the service account.|
|8||For 1-Tier (Direct Bill) partners only:
· A separate account in Partner Center (aka Integration Account) should be created.
· A ‘Native App’ in the Partner Center should be available.
|The integration account with Partner Center should be assigned an ‘Admin Agent’ role in the Partner Center. MFA for this account must be enabled. A Dynamics 365 license for this account is not required.
More information available at:
Prepare for MFA enablement of the tenant
If your tenant has Azure AD Premium Plan 1 (or higher) or Enterprise Security + Mobility (EMS) plans, it is highly recommended to assign these licenses to your users before proceeding with MFA enablement. The planning and rollout of MFA across your tenant are not in the scope of this article. Work with your IT team to plan and deploy MFA across the organization.
Enable MFA Policies
Work with your IT team to ensure that you are compliant with the Microsoft security requirements coming into effect on August 1, 2019. More information on this can be obtained from https://docs.microsoft.com/en-us/partner-center/partner-security-requirements and https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq
The policies may take a few minutes to kick in and hence it is advised to wait for about 5-10 minutes after enabling any policies on the Azure AD tenant and before proceeding with the next steps on the Work 365 install.
- Register MFA for the Work 365 service account by navigating to https://aka.ms/mfasetup and following the instructions therein.
- Register MFA for the account with which the next steps will be carried out (Global Administrator account)