Installation

Setting Up Customer Azure AD Integrated Logins for your Dynamics 365 Portal

64 views October 12, 2018 October 31, 2018 0

Dynamics 365 portals support a variety of authentication schemes and are configured by default with a custom (forms-based) and Azure AD integrated login schemes. However, the Azure AD login scheme works only with the customer’s own Azure AD.

This article shows how to configure your Dynamics 365 portal to work with your customer’s or partner’s Azure AD without having to add them as guest users in your own Azure AD.

Pre-requisites

Performing this task will require the following:

  • Portal Owner privileges
  • Global Admin privileges on the tenant

Time required

The steps outlined in this task will take approximately 15 minutes.

Additional Notes

If you configure a custom domain and/or change your portal Base URL, these steps will need to be re-run, specifically step #3

Procedure

1. Open the Microsoft Azure AD portal and log in as a Global Administrator. Once logged in, click on the “App registrations” menu, then click on the “+ New application registration” option.

The URL for Microsoft Azure AD portal is https://aad.portal.azure.com/

App Registration

2. Enter a suitable name for your app registration. Select the Application type as “Web app / API” and enter your portal’s Base URL as the Sign-on URL; then click the “Create” button.

The Base URL of your portal is the one that fits the https://*.microsoftcrmportals.com pattern. This is valid even if you have configured a custom domain for your portal.

Create Custom Domain

3. Once the application is created, Click the “Settings” button on the application and then Click the “Reply URLs” menu.

Enter the Base URL of your portal and any other custom URLs that you have configured for your portal. For each URL that you’ve specified enter one additional URL that ends with /signin-oidc.

Click the “Save” button, once done. Note the “Application ID” – this will be required later.

Reply URL

4. Click the “Properties” menu. Change the “Multi-tenanted” option to “Yes”. You may specify other options and/or upload a custom logo. These will be shown when the user is prompted for consent.

Click the “Save” button, once done.

multi-tenanted Properties

5. Open Dynamics 365 and navigate to Portals -> Site Settings.

Navigate to site setting

Create the following entries for this entity.

Name

Value

Authentication/OpenIdConnect/CustomerAzureAD/Authority

https://login.windows.net/common

Authentication/OpenIdConnect/CustomerAzureAD/Caption

Customer Login

Authentication/OpenIdConnect/CustomerAzureAD/ClientId

[Use Application ID noted in step 3]

Authentication/OpenIdConnect/CustomerAzureAD/ExternalLogoutEnabled

True

Authentication/OpenIdConnect/CustomerAzureAD/IssuerFilter

https://sts.windows.net/*/

Authentication/OpenIdConnect/CustomerAzureAD/RedirectUri

[See Notes below]

Authentication/OpenIdConnect/CustomerAzureAD/ValidateIssuer

False

Notes:

6. Navigate to the Sign In page of your portal. You should see a button called “Customer Login”.

Customer Login

7. Click on the “Customer Login” button and specify an Azure AD login (Work or School account) that is not part of your own Azure AD. A consent form is presented the first time the customer logs in. If the user has administrative privileges, they can choose to “Consent on behalf of the organization”, which suppresses the consent for other users from that organization.

Upon completing the consent, the user is either logged into the portal (if ‘OpenRegistrationEnabled’ is enabled – see Additional Configuration Parameters section below) or redirected to the invitation redemption page.

Permission Requested

8. Congratulations! Your Dynamics 365 Portal is now configured to work with your customers’ Azure AD.

Additional Configuration Parameters

Some additional but relevant options to consider under Portal Site Settings.

Name

Recommended Value

Description

Authentication/Registration/AzureADLoginEnabled

True

Enable users from your own AzureAD to login. Changing this value will affect the visibility of the “AzureAD” button on the sign-in page.

Authentication/Registration/LocalLoginEnabled

False

Enables or disables custom forms based logins.

Authentication/Registration/OpenRegistrationEnabled

False

If False, portal only allows logins via Invitations. If True, anyone can sign up for the portal.

 

Was this helpful?