Dynamics 365 Portal – Authentication Deep Dive (Part 3) – Using the Third Party Auth Providers

In the previous post, we have discussed how to configure Azure AD B2C using the Open ID Connect method. One of the challenges that I had in my past experience is that the client has a strict requirement of data residency, due to the sensitivity of their business. Therefore, they are considering some 3rd party options that have their solution deployed in Australian data centre. Some of the options that we have explored are Auth0 and Okta.

The same principle of configuring Open ID Connect authentication, these 3 site settings records need to be created & configured:

  • Authentication/OpenIdConnect/[provider]/Authority
  • Authentication/OpenIdConnect/[provider]/ClientId
  • Authentication/OpenIdConnect/[provider]/RedirectUri

Note: The key part of configuring authentication always be getting familiar with the product and how to find the right equivalent information 😊

Example of 3rd party External Identity Provider: Auth0

First of all, we need to make the “Application” as the container of our configuration in Auth0 management portal.

Auth0-Create-App.png

Select the Regular Web App option (this will have pre-configured settings for the auth token required for the majority of web apps).

Auth0-Create-App2.png

Register the Allowed Origin and Callback URL(s) of our portal site. Mine is like below:

Auth0-Create-Config1.png

Take note of the client ID to be used for the portal configuration:

client-id.png

Expand the Advanced settings, take note the OAuth Authorization URL, this will be the value of “Authentication/OpenIdConnect/[provider]/Authority”

Auth0-Authorize.png

Configure the site settings to have the following items:

Auth0-site-settings.png

Quick Demo:

Auth0-Demo.gif

Example of 3rd party External Identity Provider: Okta

Similarly, when configuring Okta, need to set up the application as the container of our web app authentication configurations.

create-app-okta.png

When creating the application, select the Web application

create-app-okta2.png

Configure the base URL, login redirect URL(s) & the Grant Type. I choose the below option (mimicking the Auth0/Azure AD B2C settings). Also, take note of the client ID.

create-app-okta3.png

Okta_Client_ID.png

To find the “Authentication/OpenIdConnect/[provider]/Authority” value, navigate to the API section and take note of the issuer URI

Okta-auth-server.png

And add the Portal Base URL as the allowed/trusted origin

Okta-auth-server-allowed.png

Then finally set up the site settings as below for Okta Auth:

Okta-site-settings.png

Okta Auth Demo

Okta-Demo.gif

Conclusion

I hope the flexibility of the Authentication framework that the Dynamics 365 Portal offers would help you to be able to leverage your existing IDP/Auth provider to connect to Dynamics 365 Portal easily.

In the next post, I will discuss some tips & tricks to get a more seamless end-user experience authenticating to the portal.

Hope this helps!

Advertisements

Dynamics 365 Portal – Authentication Deep Dive (Part 2) – Using the Microsoft Azure AD

The second part of the series of the blog post is to leverage the Microsoft Azure AD capability to deliver the authentication capability for the Dynamics 365 Portal.

There are 2 parts of the Azure AD that we can use depending on the audience:

  1. Internal-facing Portal: Azure AD
  2. External-facing Portal: Azure AD B2C

Now, let’s walk through the detail on each part.

Azure AD Authentication

The Azure AD authentication use case is predominantly for internal users such as employee or contractors accessing an internal company’s portal, such as employee self-service portal.

This feature is enabled by default for Dynamics 365 Portal with this specific Site Setting to look for:

Authentication/Registration/AzureADLoginEnabled

This will provide seamless authentication for all internal users.

How about guest users, such as contractors or partner? Azure AD provides the ability to invite Guest Users via the Azure AD B2B.

Azure AD B2B use case would be for the Partner Portal functionality.

To enable the guest user access, we first need to have the user added in Azure AD as “Guest User”

Guest User.png

In this example, I’m going to add my work account (@barhead.com) to my personal instance (@andz88.com). Once invited, I’ll receive the invitation, click on the Get Started to “redeem”/confirm the invitation. You’ll notice that you don’t have access to any application, but that is fine.

Invitation.png

Once confirmed, I now can login to the portal by clicking on the Azure AD login method using my work (external) account.

Note: If the Azure AD is configured using Federated auth with AD FS, the Portal Azure AD auth also will use AD FS.

Demo:

AzureAD B2B.gif

External facing portal with Azure AD B2C

Azure AD B2C is the option for external users, typically for the public facing portal, such as customer self-service, community portal or partner portal.

Note: at the time of writing this article, Azure AD B2C deployment does not include some regions like Australia: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-tenant-type

The good news for Australian-based users, Dynamics 365 Portal Authentication is only using Azure AD B2C for the user object ID and securely storing the login credential, PII and other profile information is stored in Dynamics 365, which is hosted in Australian Data Centre.

To implement Azure AD B2C authentication, I would recommend using the Open ID Connect authentication method. This is the commonly used authentication method that is available from most of modern ID/Authentication providers. So, to begin with, there are 3 main Site Settings that you will need to pay attention to enable any kind of Open ID Connect authentication:

  • Authentication/OpenIdConnect/[provider]/Authority
  • Authentication/OpenIdConnect/[provider]/ClientId
  • Authentication/OpenIdConnect/[provider]/RedirectUri

The [provider] part of the settings should be replaced by the name of the authentication method/provider that you would like to name (this also become the display name of the authentication button at the sign in page).

From the Azure AD B2C perspective, once you’ve created the Azure AD B2C deployment, you will need to add Dynamics Portal application to the list:

Application Reg.png

Create the application, make sure that the “Allow Implicit Flow” set to Yes. Reply URL should be in the format “[portal domain]/signin-[Federation-Name]” (Ref: https://docs.microsoft.com/en-us/dynamics365/customer-engagement/portals/azure-ad-b2c)

AppSetup.png

Once the Dynamics Portal application added to AAD B2C application, you’ll need the ensure to set up the user flows/policies:

Sign-in Policy 1.png

At least configure the Sign in and Sign Up & Password ResetSign-in Policy 2.png

In particular, on the Signup and sign in policy, set the bare minimum information for the claim, such as email address, first name and last name and keep the rest to be managed in Dynamics 365 (unless you would leverage the full capability of Azure AD B2C to manage the profile). The tips & tricks on configuring the claim I’ll discuss in the next posts.

Once configured you will need to grab the 3 most basic information: Authority, ClientId and Redirect Url.

To find the value for the “Authority”, open the Sign up and sign in policy that you’ve created and click on Run user flow:

RunUserFlow.png

It will open a panel, click this well-known/openid-configuration link to see the JSON metadata:

AAD Authority.png

And grab the value from “issuer” to be value for the Authority.

Issuer.png

The value of ClientId is the GUID of the application that you created in the previous step:

ClientId.png

And RedirectUri is the from the Reply URL that we set in that application

ReplyUrl.png

Once configured, you will be able to sign in using users that have been registered in the Azure AD B2C:

Azure AD B2C Demo.gif

Hope this helps. In the next post, I’ll discuss using some 3rd party identity providers as the alternative of Azure AD B2C.

Further Read:

https://docs.microsoft.com/en-us/dynamics365/customer-engagement/portals/azure-ad-b2c 

Dynamics 365 Portal – Authentication Series (Part 1) – The Basics

I’ve been recently deployed a quite complex Dynamics 365 portal solution involving a custom authentication provider and other features such as Power BI Embedded and SharePoint integration.

In this series, I’ll discuss in more detail about the authentication side based on my lesson learned out of this challenge to get them working properly. My plan is to discuss the following topics in this series:

  1. The basic – Local Auth
  2. External Auth – Using Azure AD & Azure AD B2C
  3. External Auth – 3rd party ID provider
  4. Some tips and tricks around

Before we begin, I would admit that I’m not a portal expert, I learned the concept and knowledge from these great experts: Colin Vermander, Nick Doelman, George Doubinski and Dileep Singh. So, credit is to my great “teachers”.

So, to begin with, let’s try to understand the authentication methods that the Dynamics 365 portal supports (https://docs.microsoft.com/en-us/dynamics365/customer-engagement/portals/configure-portal-authentication).

In a nutshell, Dynamics 365 portal’s authentication is based on the ASP.Net Identity, which is based on the OWIN Framework (The OWIN framework is the “jargon” that seems to be commonly being used by the auth provider in their documentation, so always good to know and understand how it works/behaves).

There are 2 methods of authentications in Dynamics 365 Portal:

  1. Local Authentication

Purely based on Dynamics 365 Contact record to store the authentication details.

  1. External Authentication

Utilising the ASP.Net Identity API to integrate with the external ID providers using either OpenID Connect or OAuth or SAML.

To ensure the portal authentication to work properly, ensure the following solutions exist in the environment. These solutions typically will always be there after the portal instance being provisioned, but I had a case where the overall authentication process is not working properly due to missing one of the following solutions (if you encountered the same issue as me, log a support ticket and the support team can add the missing solution fairly quickly).

Solutions.png

The minimum viable option of the authentication would be using the local authentication. However, I would recommend to minimise the usage of the local authentication method and use External Authentication (if possible Azure AD-family) as much as possible, not only for the security compliance but also future proofing your portal investment. This is based on Colin Vermander’s blog post from last year: https://colinvermander.com/2018/05/19/dynamics-365-portals-authentication-deprecation/

Even though the link in the article is no longer showing the deprecation on it, but I reckon the intent to push to Azure AD B2C is still there.

Local Authentication in a Glance

When you are using the Local Authentication, the portal solution is storing the user creds within the contact entity. Password is stored as hashed text within Dynamics 365 (even though Dynamics handles the security and encryption at rest, this could be an “alarming” thing when the system is being audited by security experts. Thus, recommended to use external idp).

username password.png

Some of the notable site settings that construct the basic behaviour of the local authentication in Dynamics 365 Portal:

  • Authentication/Registration/Enabled
  • Authentication/Registration/LocalLoginEnabled
  • Authentication/Registration/OpenRegistrationEnabled
  • Authentication/Registration/InvitationEnabled
  • Authentication/Registration/RememberMeEnabled
  • Authentication/Registration/ResetPasswordEnabled
  • Authentication/Registration/ResetPasswordRequiresConfirmedEmail

The technical description of those settings are available in this documentation article: https://docs.microsoft.com/en-us/dynamics365/customer-engagement/portals/set-authentication-identity

In the next post, I will discuss on how to configure the authentication using Azure AD & Azure AD B2C.

Update to the Unified Interface in the October 2018 Release

Microsoft product team just shared the latest update for Unified Interface in the October 2018 release. This is important especially for those who have started embracing Unifed Interface in their organisations. Note: These Unified Interface updates were not highlighted in the October Release Notes and there is no official article/documentation that stating this yet.

Overall, the update is to address the feedback around the usability and adoption of Unified Interface, primarily around the navigation and colour scheme. To keep in mind, this update is going to be automatically applied to the organisations with v.9 onwards, without the “Opt-In” feature (Related to the quite recent announcement from Microsoft about the continuous update of Dynamics 365). It means if your organisation has embraced the Unified Interface, there might be a slight change to the training material (if any) and preparing communications to the end users so that they are aware of this UI/UX change to the Unified Interface.

The changes are as follow:

Before

thumbnail_image001.png

After

thumbnail_image002.png

Sitemap changes:

  • Site map will be expanded by default, with the option to collapse, to improve user recall and learning.
  • Simplified IA: MRU (recent) and favorites (pinned) moved to top level, always visible. No more entity level MRU.
  • No more tabbed sitemap. Bottom flyout used to select areas. To reduce icon overload, colorized tiles replaced area icons.
  • New color scheme (black on gray) to improve navigation discovery.

Commanding changes:

  • Dark text on light background to group commanding with the content area it effects
  • New colored icons and hover effect distinguish different commands and highlights interactive regions

Affected viewport width
These changes are aimed at improving user experience for desktop browser users at widths above 480.

Leveraging Microsoft Flow to be your API Engine – Low Code Approach

Recently I’ve been experimenting with Microsoft Flow and its counterpart, Logic Apps. A thing that I noticed could become a game changer in designing a business solution these days is that Microsoft Flow can be turned into an API engine. In my example, I’m going to create a very simple API to send a message to my Skype for Business and reply back with the response whether the API call is successful or not.

The first step is by registering the HTTP Request trigger in the Flow step:

HTTP_Request_Trigger.png

As any typical API, you will need to specify the data payload. To generate the payload schema, we can use the “Use sample payload to generate schema”. I’m going to use a simple payload to send the message:

{
      “message”:”payload for skype”
}
Payload_generator.png
Once generated, this will create the schema for you
HTTP_Request_Trigger_with_schema.png
To ensure that the payload schema is validated on the HTTP request by clicking the Settings option:
Settings.png
And turn the Schema Validation to On
Schema_Validation_On.png
The next step is to register the action that you would like to perform (you could be creative here with the available connectors for Microsoft Flow or you can come up with your custom connector).
In my sample, I’m going to add the Skype for Business action: Send Instant Message
Send_skype_message.png
As any typical API, we will need to provide the response appropriately. In this example, I’ll just implement the success response. Exception handling will be discussed on a separate blog post.
response.png
Once finished, save the flow and the HTTP Request step will generate the API endpoint:
endpoint.PNG
To test the endpoint, you could simply use Postman (or any tools to stimulate HTTP request) to trigger it:
Postman.png
And here’s the result:
Skype.png
Skype2.png

Conclusion

To create a low-code API is now become very simple with Microsoft Flow. With the available connectors and actions, workflow-based API can be achieved in configurations!

Business Apps. October ’18 Release Highlights

Microsoft just announced the October’18 Release Notes from the last week’s Business Application Summit conference at Seattle. The first question that might come up is: Why October, aren’t we still in July and October is still 3 months away? The answer is in response to the recent blog announcement about the way Microsoft Dynamics 365 will be updated: https://cloudblogs.microsoft.com/dynamics365/2018/07/06/modernizing-the-way-we-update-dynamics-365/. The release notes are made available upfront to allow customers/partners to be familiar to what is coming and plan ahead with the updates.

Now, the official article of the release notes can be viewed here and the actual release notes can be downloaded here. So, after spending the weekend of reading the 239 pages of the release notes I would like to list the highlights of this updates, in particular to the Dynamics 365 CE, Flow and PowerApps. Sorry, ERP-counterpart of the Dynamics 365 family, and Power BI, I’m not the expert on that.

Release_notes.png

So, without further ado, here are the highlights of this October update from my perspective.

Dynamics 365 for Sales

  • Playbook – Seems to be a useful feature, if this can be extensible
  • Microsoft Teams integration!
  • Dynamics 365 AI for Sales Rep… oh WOW!

Dynamics 365 for Service

  • Omni-channel engagement hub
  • Channel Integration Framework – aka bring your own channel
  • BYOB – Bring your own Bot!

Dynamics 365 for Marketing

  • Segmentation enhancement – more operators and hoping for the performance is really bumped up
  • Custom analytics – the current release of Dynamics 365 for Marketing only provides the “Insights” that come from the OOTB package, with this Custom analytics enhancement, really hope that we can create tailored insights, and seems it will open up Power BI reporting

Dynamics 365 Portal

  • Portal Config migration – schema is now going to be provided
  • Embed Power BI on Portal!
  • SharePoint Integration is back!! – oh wait…

PSA

  • Adjustments to approved items! – my wish-list is apparently being implemented 😉

PowerApps & the D365 Platform

  • Embedded canvas app on D365/Model-Driven PowerApps
  • Choose your own size app – closer to the “Pixel-Perfect” slogan
  • Create Canvas Apps with responsive layout – finally!
  • More “integrated” look of Model-Driven PowerApps – within PowerApps studio, instead of the “jumping” experience with the Dynamics 365 CE
  • Improved ALM – looking forward to this!
  • Dependent Option Set – doesn’t tell whether this is for Canvas App only or for Model-Driven Apps as well? If yes, this is awesome!
  • Solution checker – this features from high-level seems to be awesome. Similar to the reports that the PFE guys used to produce 😉
  • Missing features like advanced find, merge records, run reports, run workflows and bulk edit are available in UCI (Model Driven PowerApps)

Microsoft Flow

  • Design Microsoft Flow using Visio – yay! Caveat: need Visio Online Plan 2.

What to expect?

With the above highlights and referring to the “caveat” of the release notes: “Features Releasing from October 2018 through March 2019”, all we can do is to wait and see the update waves to land 😉

Troubleshooting: “There is no active transaction” Error.

Today I encountered a very weird error when I’m working with my team to create a very simple workflow, on a status update, if the status is equal to a specific status, create a task that is assigned to a specific team. However, we can’t proceed due to a very strange reason:

Weird_Error.png

This is the error message:

“There is no active transaction. This error is usually caused by custom plug-ins that ignore errors from service calls and continue processing.”

So, I googled it to find the similar error. Based on a past post by Aileen: http://missdynamicscrm.blogspot.com/2015/10/crm-error-there-is-no-active-transaction-crm-error-plugin.html

We have tried checking the suggested approach by her:

What to Check

So, if you find this error, please check:

– Whether you have custom plugin/custom workflow active triggered
– Whether you put skipping the error that will have impact to the CRM process, it is not possible
– Actually you better to log the error
– Because you won’t know what it is
– This is not your logic wrong in your custom plugin
– This just you need to fix why CRM cannot proceed?
– Is that because your user/team does not have privilege or you missed some parameters required
– This error might happen like for Assignment, Lead Qualification, Quote creation, etc

However, no luck 😦

And we also come across this forum discussion: https://community.dynamics.com/crm/f/117/t/138785?pi61802=2#responses

where some people are mentioning about an issue with ActivityFeeds plugins, again no luck, as we can’t find the specific ActivityFeeds plugins registered.

So, as the usual troubleshooting technique of elimination process, we tried to remove 1-by-1 the workflow mapping, and we found the culprit. Apparently, it’s on the mapping of record owner in the Create Task step. For some reason, if we set the owner on the creation of the task, it keeps throwing the error. So, we split the owner assignment to a separate step to assign the record to the team. Something like:

Weird_Error2.png

And it solves our misleading “Custom Plugin” issue.

 

HTH!