Dynamics 365 Portals

Microsoft Dynamics 365 Portals: Azure AD Authentication + Redeem Invitation End to End Process Set Up

If you need to set up Azure AD authentication for the portal with the portal users matched to the existing CRM contacts, when a new contact creation in CRM is not allowed by the business rules, please, read this article below. I wish someone had written it for me ūüôā

The Requirements

R1. Set up Microsoft Dynamics 365 Portal to authenticate with Azure AD.

R2. Only invited users are allowed to authenticate to the portal.

R3. Only existing CRM contacts can be associated with the portal visitors. New contacts creation via the registration/authentication process is not allowed in the system.

How to Find the Portal Settings?

In the top menu Portals -> Site Setting.

Here generally about the authentication settings:

https://www.microsoft.com/en-us/dynamics/crm-setup-and-administration/set-authentication-identity-for-a-portal.aspx

R1. Set Up /Check Azure Active Directory Setting for the Portal

This is the text below, I have copied from the article here:

https://www.microsoft.com/en-us/dynamics/crm-setup-and-administration/ws-federation-provider-settings-for-portals.aspx

…

  1. To get started sign into the Azure Management Portal and create or select an existing directory. When a directory is Under the Applications menu of the directory, click the Add button
  2. Choose Add an application my organization is developing
  3. Specify a custom name for the application and choose the type web application and/or web API
  4. For the Sign-On URL and the App ID URI, specify the URL of the portal for both fields https://portal.contoso.com/
  5. This corresponds to the Wtrealm site setting value
  6. At this point, a new application is created. Navigate to the Configure section in the menu
  7. Under the single sign-on section, update the first Reply URL entry to include a path in the URL http://portal.contoso.com/signin-azure-ad
  8. This corresponds to the Wreply site setting value
  9. Click Save in the footer
  10. In the footer menu click the View Endpoints button and note the Federation Metadata Document field
  11. This corresponds to the MetadataAddress site setting value
  12. Paste this URL in a browser window to view the federation metadata XML and note the entityID attribute of the root element

This corresponds to the AuthenticationType site setting value

Note

A standard Azure AD configuration only uses the following settings (with example values):

  • Authentication/WsFederation/ADFS/MetadataAddress¬†– https://login.microsoftonline.com/01234567-89ab-cdef-0123-456789abcdef/federationmetadata/2007-06/federationmetadata.xml
  • Authentication/WsFederation/ADFS/AuthenticationType¬†– https://sts.windows.net/01234567-89ab-cdef-0123-456789abcdef/
  • Use the value of the¬†entityID¬†attribute in the root element of the Federation Metadata (open the¬†MetadataAddress URL¬†in a browser that is the value of the above site setting)
  • Authentication/WsFederation/ADFS/Wtrealm¬†– https://portal.contoso.com/
  • Authentication/WsFederation/ADFS/Wreply¬†– https://portal.contoso.com/signin-azure-ad

 

In my case it was automatically set up for me via portal set up process.

What you may want to do is to find the entityID to add to your settings.  Run the Advanced Find to find the existing External Identity auto set up for the portal administrator.

In my case entityID is 3ff6cfa4-e715-48db-b8e1-0867b9f9fba3, so my settings will be:

R3. Redeem Invitation

As it was described in one of the portal articles, any type of the authentications can be combined with the invitation process, which allows us to match the existing CRM contact to the portal visitor without creating a new CRM contact. Thank you very much, @Leon Tribe!

https://www.microsoft.com/en-us/dynamics/crm-setup-and-administration/set-authentication-identity-for-a-portal.aspx

Note

Register and invite for a portal

Redeeming an invitation code allows a registering visitor to be associated to an existing contact record that was prepared in advance specifically for that visitor. Typically, the invitation codes are sent out by email but a general code submission form is available for codes sent though other channels. After a valid invitation code is submitted, the normal user registration (sign-up) process takes place to setup the new user account.

Related Site Settings:

  • Authentication/Registration/InvitationEnabled

Related Processes:

  1. Create invitation for a new contact

2. Customize and save the new invitation

3. Process: Send Invitation

4. Customize the invitation email

5. Invitation email opens the redemption page

6. Sign-up using the submitted invitation code

R2.R3. Check Your Settings

The highlighted setting wasn’t in the list of the portal settings available by default, I’ve added it. If it set to true, any Azure AD user without the invitation can register to the portal and a new contact will be created for him/her in CRM.

The Whole Process

We set up the workflow, generating the invitations for the marketing list contacts and the ClickDimensions template with the link to the portal registration page.

This is the email I received.

When I click on the link, it takes me to the registration page with the Invitation Code pre-populated.

When I click on Register, it redirects me to the Azure AD login page, which allows me to login with my Azure AD credentials.

And I logged to the portal as Olena, which matches the existing CRM contact.

If I try to sign in via Sign In page with my Azure AD credentials, but I haven’t been invited via the invitation process, portal will redirect me to the Registration page.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s