Version 2.5 of Work 365 is a mandatory update that must be installed for your organization to remain compliant with Microsoft’s security policy mandates and MFA requirements that come into effect 1st August 2019.
While Work 365 has been compliant to the Secure App Model for PartnerCenter integration since version 2.1, released February 2019, this update extends this model to the Dynamics 365 connection; which will be affected by the security policy updates.
Note for organizations currently on v2.1 or lower
If you are upgrading from version 2.1 or lower AND have the portal solution installed, you will need to uninstall the portal solution first, upgrade to v2.5 and then reinstall the latest version of the portal solution.
The diagram above illustrates the overall process and covers activation of the Microsoft security mandates as well as installation and post-installation configuration of Work 365.
Schedule a down-time window
Work 365 version 2.5 changes the way connections are established with Dynamics CRM. Hence pending background processes (e.g.: Work 365 Jobs) may fail to post the upgrade. Therefore, please schedule a Work 365 activity freeze and check that all pending Work 365 Jobs are completed (either failed or success) before commencing the upgrade process.
Prepare for MFA enablement of the tenant
If your tenant has Azure AD Premium Plan 1 (or higher) or Enterprise Security + Mobility (EMS) plans, it is highly recommended to assign these licenses to your users before proceeding with MFA enablement.
Pre-requisites for v2.5 Upgrade
The following must be readily available or already configured before the above process can begin.
|1||Availability of tenant ‘Global Administrator’ credentials with ‘System Administrator’ role in Dynamics 365.||The global administrative privileges are required to enable the MFA policies and to give organization-wide consent for the Work 365 app.|
|2||User in step 1, should have a Dynamics 365 license assigned.||The license is only required for the upgrade and can be unassigned after the installation has completed.|
|3||Work 365 Service account should have the ‘Work 365 Service’ role assigned.||If you are upgrading from a solution that does not have the ‘Work 365 Service’ role in Dynamics CRM, you can do this after the “Install Work 365 v2.5” step in the upgrade process.|
|4||Ensure that there are no pending Work Jobs.||Wait for the pending Jobs to complete before the upgrade begins. Work Jobs that are not completed may fail after the upgrade.|
Enable MFA Policies
MFA Policies can be enabled in a number of different ways. More information on this can be obtained from https://docs.microsoft.com/en-us/partner-center/partner-security-requirements and https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq
Before installing Work 365 v2.5,
- Register MFA for the Work 365 service account by navigating to https://aka.ms/mfasetup and following the instructions therein.
- Register MFA for the account with which the next steps will be carried out (Global Administrator account)
Install Work 365 v2.5
Installation of Work 365 v2.5 is the same as installation/upgrade of the previous versions of Work 365. The high-level steps are provided below. Please note that these steps MUST be executed as a user with tenant Global Administrator AND Dynamics 365 System Administrator roles. This user MUST also have a Dynamics 365 Customer Engagement license assigned.
- Obtain the copy of the latest solution file (see the Help & About page in your current version of Work 365).
- Navigate to Settings ➤ Solutions
- Click on the Import button
- Select the Work 365 v2.5 solution file
- Complete the solution import file as performed earlier with one exception.
- Do not click the Upgrade button at the end of the solution install process. The upgrade initialization process will be completed after the (re)consent process.
Complete Registration Process
Please note that these steps MUST be executed as a user with tenant Global Administrator AND Dynamics 365 System Administrator roles. This user MUST also have a Dynamics 365 Customer Engagement license assigned.
1) If upgrading from a previous version, skip this step and go to Step 2.
If installing Work 365 for the first time, a screen as below will be presented. Fill in the details and click the Submit button to have the Work 365 license generated. Connect with your account manager to obtain the correct license key.
2) Click the Get Consent button.
3) A sign-in prompt is presented. Login with Global Administrator credentials. MFA registration options may be presented, which should be completed.
4) Review and accept the permissions requested by Work 365 – this is the same permission set as before.
5) This step is only for new installs and does not appear when upgrading from an older version. Complete the registration form. The Organization Name is available on the screen in the background (see step 2). Select the right Time-Zone for the organization. Click Submit.
6) Copy the link presented. The link icon provides a short-cut to copy this link to the clipboard. Please note that this link is valid for only for 15 minutes. If the link expires, the process may be restarted from step 1 under the Complete Registration Process section.
Complete Consent & Initialization Process
Please note that these steps MUST be executed as the Work 365 service account. This account MUST have the Work 365 Service role assigned in Dynamics 365. This account MUST have a Dynamics 365 Customer Engagement license assigned. This license assignment cannot be revoked.
1) Open a new browser window, preferably in Incognito / InPrivate mode. Navigate to the link copied over from the previous step. A login prompt will be presented. Enter the credentials of the Work 365 service account.
2) MFA authorization maybe prompted. If so, enter the MFA challenge requested.
3) Upon successful verification of credentials, the following page will be presented. Click the Begin Upgrade button to commence the upgrade process.
4) Wait for the upgrade process to be completed. Do not close the browser window or navigate to another page.
5) The upgrade process is completed when a screen like below is shown.
Congratulations! The Work 365 upgrade process was completed successfully!
Re-consent for each PartnerCenter
For Indirect resellers, there no additional steps are required. For Direct Partners, then each Partner Center will require to reconsent, as the MFA policies were recently applied.
For the PartnerCenter connected to the primary tenant, follow the instructions in the Configuring the Partner Center using the Consent Framework section at https://help.work365apps.com/documentation/billing/configuring-microsoft-partnercenter-provider/
For PartnerCenters that are not connected to the primary tenant,
- MFA baseline policies must first be enabled in those tenants using the steps in the Enable MFA Policies section in this article.
- Once the MFA policies are in place, follow the instructions in the Configuring the Partner Center using the Consent Framework section at https://help.work365apps.com/documentation/billing/configuring-microsoft-partnercenter-provider/
When reconsenting for PartnerCenter providers, do not create new providers or change settings on the existing providers; instead, follow the steps after Generate Consent Link appears in the above article.