Dynamics 365 Portal – Authentication Deep Dive (Part 4) – Tips & Tricks

Finally, after quite hectic months with all big events are happening in Melbourne, Australia & Globally (Dynamics 365 Saturday, UG Summit and Global Hackathon), I’m going to finalise this series of authentication with Dynamics 365 Portal or should we call it PowerApps Portal now 😉

So, without further ado, here are some tips & tricks in authentication implementation for Dynamics 365 portal:

  1. Set Login Session Timeout

As part of the security policy sometimes we need to set the login session timeout. When I was trying to configure this, usually the Identity Provider will have the configuration of the token lifetime.

So, my first thought was to use the Open ID Connect settings to set the cookie timeout: “Authentication/OpenIdConnect/[provider]/UseTokenLifetime

Well, after some testing, that doesn’t change the timeout. So, to properly change the session timeout apparently, I need to set the following configuration:

Authentication/ApplicationCookie/ExpireTimeSpan

  1. Use default Login Provider

When we configure the external login, sometimes it is a specific direction, to only allow a specific login method for the portal audience. To achieve this, you just need to set the following configuration:
Authentication/Registration/LoginButtonAuthenticationType

Set the value as the same value of the ‘Authority’ of the Authentication Provider URL is:

e.g: if your “Authentication/OpenIdConnect/[provider]/Authority” is “https://login.somewhere.com” put the same value on this setting. This will “force” the login process using the specified provider.

  1. Claim Mapping – Resolve basic contact mapping

When we configured the external Authentication Provider, once we are able to login, usually it will prompt us with the email, then creating new contact record if the record doesn’t exist, or it will complain about the duplicate contact exist and stopped the process, which sometimes frustrating and causing orphaned records…

So, to make it a more seamless experience:

  • Set the “Authentication/OpenIdConnect/[provider]/RegistrationEnabled” to true
  • Set the “Authentication/OpenIdConnect/Auth0/RegistrationClaimsMapping” to reflect the mapping. Commonly we would like to set the First Name, Last Name and Email Address: “firstname=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname,lastname=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname,emailaddress1=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email”

More detail of the claim mapping:

https://docs.microsoft.com/en-us/dynamics365/portals/azure-ad-b2c#claims-mapping

And the options on what we can use from the identity provider:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-claims

  1. Force Login when accessing pages other than the Home page

In my recent scenario, there is a requirement to make the other web pages not available for non-authenticated users. I can apply the “Authentication Required” on each page on my site. However, this is not an efficient process. In particular around the maintainability of the portal. So to achieve this in an efficient way:

  • Navigate to Web Page -> Home
  • Navigate to the Access Control Rules section
  • Create a new Rule as follows:

Web Access Control.png

Make sure you select to the scope to Exclude direct child web files, otherwise the portal scripts and css will be blocked as well.

  • Add the “Authenticated User” under the Web Role:

Auth Users.png

That’s all the tips & tricks related to the Dynamics 365 Portal authentication. I hope this helps!

One thought on “Dynamics 365 Portal – Authentication Deep Dive (Part 4) – Tips & Tricks

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s