Managing Dynamics 365 Online Encryption Key

Today, when I navigate to edit one of the Dynamics 365 Online instances, I just noticed a new section that is available on my trial instance: “database encryption settings”


So, what can you do with this shiny new feature?

Based on the official documentation for this feature from Microsoft:

The manage keys feature lets you perform the following tasks.

  • Enable the ability to self-manage database encryption keys that are associated with Dynamics 365 (online) instances.
  • Generate new encryption keys or upload existing .PFX or .BYOK encryption key files.
  • Lock a Dynamics 365 (online) instance.
    You should never lock an instance as part of your normal business process. While a Dynamics 365 (online) instance is locked it takes the instance completely offline and it cannot be accessed by anyone, including Microsoft. Additionally, services such as synchronization and maintenance are all stopped. An appropriate reason why you would lock an instance is when you move your database from online to on-premises. Locking the instance can make sure that your online data is never accessed again by anyone.

    A locked instance can’t be restored from backup.

  • Unlock a Dynamics 365 (online) instance. To unlock a locked instance of Dynamics 365 (online), you must upload the encryption key that was used to lock it. While a Dynamics 365 (online) instance is locked, it cannot be accessed by anyone.


One of the common request when I’m implementing Dynamics 365 (CRM) deployment, is the question around the security & encryption. One of the common ask is whether the platform allows customer-supplied encryption key or not? In the past, my answer is NO. It is all under Microsoft’s managed encryption key.

With this feature being made available, the answer is YES!


Read through the TechNet article above for more details of this new feature and considerations when you are implementing this BYOK 🙂



Dynamics 365 PSA – I can’t see WBS? What’s wrong with my security role?

This is another finding from deploying Dynamics 365 PSA. So, during the testing phase, I noticed the test user account could not see WBS link under project entity.

The copied security role assigned to the test user has complete (Create, Read, Write, Delete, Append, Append To, Share and Assign) to Project and Project Task entity. The security role was copied from Sales Person as the role is more specific for sales scenario.

Upon investigation, apparently for this role to be able to see the WBS is to add ISV Extensions privilege



Lesson Learned from PSA Deployment

Currently I’m in a project where our team is going to roll out Dynamics 365 Project Service Automation for one of our customers. Throughout the project, we’ve learned a lot about this new cool kid on the block 🙂


Some gotchas/lesson learned when we are rolling out this to the customer:

  1. Choose Project Template carefully. Once created, the user can’t change the project template and need do it again from the scratch (not a big hassle, but definitely I mentioned this when during the training).

  2. This is for Admin/Customizer, PSA-related controls limitation. Time Entry & Expense, WBS, schedule board, etc. They are pretty much static (hard coded), it is not honoring relabel, adding more options and even can’t add any new field. Seems like we need to treat PSA in a similar manner to other ISV solution, such as Click Dimensions, (compared to Sales/Service/Marketing that have more mature customization and configuration flexibility).

  3. Do not mess with the OOTB processes or scripts. There are lots of processes coded in javascripts and plugins where the processes behind it are not really documented. So, my lesson on it, keep it out of the box, if a customization needed, I would recommend to not touching any of the OOTB fields and create custom processes or fields instead.

  4. Pay attention to “metadata” records (Resource Role, Resource Skill, Price List, Expense Categories, etc) during deployment. Similar to Adx/portal scenario, where records are stored as configuration. To have ALM for PSA correctly, will need to pay attention to those records as part of the deployment process.

  5. One of the biggest catch that I’ve got: can’t undo approval. Approvers need to be really really careful with their approval.

For this instance, I submitted an idea entry: From the feedback from the 2 customers that we have worked with, they need this feature to make an amendment to the entries, at least before it is processed for invoice (at least a flag or something to cater this scenario).

  1. Data migration is a bit tricky, for some scenarios, we’ve got to deactivate some of the validation plugins to let the data in (need to have thorough testing on this, as I consider this as touching the OOTB process that is not well documented).

Hope this helps!

iOS Outlook Add-ins is now available!

Last week I posted my gotcha around Dynamics 365 Outlook App. This weekend I noticed a notification on my phone to update the Outlook app to the latest version.

What surprises me is the availability of the long waiting add-ins feature that has been demoed in the Dynamics 365 launching. The following article mentioned about the Dynamics 365 add-ins:

So, I wait for no further to update it straight away and viola! I can now get my Outlook add-ins available on my Outlook app on my phone!


There is a functionality to open the record. Since I have Dynamics 365 mobile app installed as well, the Outlook app is opening the record detail in the Dynamics 365 mobile app.


Gotchas on Dynamics 365 Outlook App Deployment

Microsoft Dynamics 365 has a shiny new Outlook App. In this post, I won’t discuss the functionality of this Outlook App (for the information about functionality, please use the following article:

One of the first pre-requisite of the new Dynamics 365 Outlook App is to enable the server-side sync ( Once the server-side sync for the user’s mailbox completed, the user will be displayed under Dynamics 365 App for Outlook as Eligible User:

Add Outlook App.png

Click the “ADD APP TO OUTLOOK” button to let the provisioning service adding the Outlook App. This might take up to 15 minutes to finish the provisioning. For more information about the security requirements, supportability, compatibility and more details of the deployment, please refer to the following TechNet article:

Once you’ve got it provisioned, it will be available on your desktop-based Outlook:

Outlook App.png

As well as on OWA client: OWA.png


Gotcha #1 – Outlook App Doesn’t Like Multiple Dynamics 365 Instances

Now, as I’m happy with the App, I would like to make it available in other Dynamics 365 instances (Typical IT project lifecycle we will have multiple environments to be used for their purpose, such as: DEV/TEST/UAT/PROD).

So, what I have done was made the same configuration at the other environment, let say in UAT environment. And add progressing to add the app to Outlook. However, I’ve got the following error:


“Issue when adding to Outlook” – with detail: “CRM : IncomingEmailRejected”.

So I click the link “Help me resolve this issue” that takes me to the following KB Article:

The article mentioned the cause of the problem: “This error can occur if the Mailbox record has not been approved.”

Well, I’ve approved the mailbox. Otherwise, how come I could get a success message from the testing result:


To resolve this issue. I need to update the Mailbox synchronisation to the current organisation only. Which means, I can only sync and use the Outlook App for an instance at a time (which makes sense).


Once I ticked this option, I can add the Outlook App successfully for the new instance.

So, the feature of the traditional Outlook Client that is able to keep the configuration of multiple instances and switching on which one that becomes the syncing org, seems to be not available for the Outlook App.


Gotcha #2 – How to Remove or Disable the Dynamics 365 Outlook App?

Now, in some situations, it could be a business decision whether they would like to use the new Dynamics 365 Outlook App or the Traditional Outlook client. One thing that I noticed, once I enabled the Dynamics 365 Outlook App for the user, I can’t find anywhere in CRM UI to remove it:

Nowhere to remove.png

It can only add, but not remove… Okay, this is not the end of the world. The Dynamics 365 Outlook App is technically an “Add-in” for Outlook. So, to remove it, simply navigate to File > Info > Manage Add-ins from Outlook desktop.

Manage Add-ins.png

That practically will redirect you to Outlook OWA:

Manage Add-ins OWA.png

Now in here, we can see the list of Outlook add-ins that have been installed for us. Click Dynamics 365, in there we also can see which Dynamics 365 instance that the App is currently connected to.

To disable: simply untick “Turned on” checkbox.

To remove: select the add-ins and click the minus (-) button.


For now, these are the lessons learned that I’ve got from the Dynamics 365 App.


Editing Sitemap in Dynamics 365

Prior to the release of Dynamics 365, we are helped a lot by XrmToolbox to edit the sitemap without the need of editing the sitemap XML manually. However, with the release of Dynamics 365, it seems the plugin for XrmToolbox doesn’t support the editing of Dynamics 365 sitemap (given now it is possible for a Dynamics 365 deployment to have multiple Apps and each App can have their own sitemap).


So, what should we do now? There are 2 options to configure the Sitemap in Dynamics 365.

Option #1: Creating a new App

With the ability to create App in Dynamics 365, we can create a sitemap that is associated to the App. Following the guide from Microsoft on how to configure/design the app:

Option #2: Editing the Default Sitemap

Editing default sitemap is similar to what we used to do with XrmToolbox. However, with the unavailability of XrmToolbox to achieve this, we need to use the Dynamics 365 Sitemap Editor to do this.

How to get there? Here are the steps to update the Default Sitemap:

  1. Open the Solution that you would like to use to contain the sitemap.
  2. Under Components. Select Client Extensions > Add Existing > Select “Site Map”Sitemap.png
  3. Once it’s added to the solution, click on the Edit buttonEdit.png
  4. It will then open up the Dynamics 365 Sitemap Editor. Conceptually it’s the same as the way we configure Sitemap using the XrmToolbox, but with different user experience and layout.D365Sitemapeditor.png
  5. Once you are happy with the layout, click Save and then Publish.


Extra Tips: Change the Default “Dynamics 365 – custom” App name

By default, each Dynamics 365 instance will get a default App. To change this App name:

  1. Navigate to Settings > Administration > System Settings
  2. Under “General” tab scroll down to the last optionsDefaultAppName.png



Dynamics 365 (On-Premises) Is Released

It seems the wait is over for CRM On-Premise customers to get the latest update of Dynamics 365 (Re-branding seems to cause confusions to some of us).

Download link:

This version is 8.2, which is the same base version to the current version on the cloud version. The following components are now available for download:


Note the filename is still using “CRM2016”. As a rule of thumb in avoiding confusion, please refer to the version number 🙂

Looking forward to upgrade one of my VMs in Christmas break!