Views:

Dynamics 365 portals support a variety of authentication schemes and are configured by default with a custom (forms-based) and Azure AD integrated login schemes. However, the Azure AD login scheme works only with the customer’s own Azure AD.

This article shows how to configure your Dynamics 365 portal to work with your customer’s or partner’s Azure AD without having to add them as guest users in your own Azure AD.

Pre-requisites

Performing this task will require the following:

  • Portal Owner privileges
  • Global Admin privileges on the tenant

Time required

The steps outlined in this task will take approximately 15 minutes.

Additional Notes

If you configure a custom domain and/or change your portal Base URL, these steps will need to be re-run, specifically step #3

Procedure

  1. Open the Microsoft Azure AD portal and log in as a Global Administrator. The URL for Microsoft Azure AD portal is https://aad.portal.azure.com/
  2. Once logged in, click on ‘Azure Active Directory’.
  3. Now click on the “App registrations” menu, then click on the “+ New Registration” option.
  4. Fill in the App Registration form with the details outlined below:

    Name: Dynamics 365 Portals Customer Login
    Support Account Types: Accounts in any organizational directory (Any Azure AD directory -   Multitenant)
    Redirect URI (optional) :
    Select ‘
    Web’ in the dropdown and enter your Portal base URL appended with /signin-oidc in the text box.
    E.g. : If your portal URL is ‘
    https://iotapsandbox.microsoftcrmportals.com/then the URL to be entered would behttps://iotapsandbox.microsoftcrmportals.com/signin-oidc


    Click the “Register” button, once done. You will now be redirected to the screen below. Note the “Application ID” – this will be required later.
  5. Open Dynamics 365 and navigate to Portals > Site Settings.


    Create the following entries for this entity.
     
    Name Value
    Authentication/OpenIdConnect/CustomerAzureAD/Authority https://login.windows.net/common
    Authentication/OpenIdConnect/CustomerAzureAD/Caption Customer Login
    Authentication/OpenIdConnect/CustomerAzureAD/ClientId [Use Application ID noted in step 3]
    Authentication/OpenIdConnect/CustomerAzureAD/ExternalLogoutEnabled True
    Authentication/OpenIdConnect/CustomerAzureAD/IssuerFilter https://sts.windows.net/*/
    Authentication/OpenIdConnect/CustomerAzureAD/RedirectUri [See Notes below]
    Authentication/OpenIdConnect/CustomerAzureAD/ValidateIssuer False

    Notes:

    The RedirectURI is the URL ending with /signin-oidc that was configured in step #4.
    If you configured multiple URLs, then choose the one that you wish the user to be redirected to when they logout of the portal.
    E.g.: specifying https://iotapsandbox.microsoftcrmportals.com/signin-oidc will redirect the user to https://iotapsandbox.microsoftcrmportals.com/ upon logout, whereas specifying https://skyblue.microsoftcrmportals.com/signin-oidc will redirect them to https://skyblue.microsoftcrmportals.com/
  6. Navigate to the Sign In page of your portal. You should see a button called “Customer Login”.
  7. Click on the “Customer Login” button and specify an Azure AD login (Work or School account) that is not part of your own Azure AD. A consent form is presented the first time the customer logs in. If the user has administrative privileges, they can choose to “Consent on behalf of the organization”, which suppresses the consent for other users from that organization.

    Upon completing the consent, the user is either logged into the portal (if ‘OpenRegistrationEnabled’ is enabled – see Additional Configuration Parameters section below) or redirected to the invitation redemption page.

  8. Congratulations! Your Dynamics 365 Portal is now configured to work with your customers’ Azure AD.
     

    Additional Configuration Parameters

    Some additional but relevant options to consider under Portal Site Settings.

     

    Name Recommended Value Description
    Authentication/Registration/AzureADLoginEnabled False Changing this value will affect the visibility of the “AzureAD” button on the sign-in page. Users from your own Azure AD can use the ‘Customer Login’ we created above to login to the Portal
    Authentication/Registration/LocalLoginEnabled False

    Enables or disables custom forms based logins.

    Authentication/Registration/OpenRegistrationEnabled

    False

    If False, portal only allows logins via Invitations. If True, anyone can sign up for the portal.

    Authentication/Registration/LoginButtonAuthenticationType

    https://login.windows.net/common If this is set, the Sign In button on the Portal will directly take the user to the Office 365 login page.