Dynamics 365 portals support a variety of authentication schemes and are configured by default with a custom (forms-based) and Azure AD integrated login schemes. However, the Azure AD login scheme works only with the customer’s own Azure AD.
This article shows how to configure your Dynamics 365 portal to work with your customer’s or partner’s Azure AD without having to add them as guest users in your own Azure AD.
Performing this task will require the following:
- Portal Owner privileges
- Global Admin privileges on the tenant
The steps outlined in this task will take approximately 15 minutes.
If you configure a custom domain and/or change your portal Base URL, these steps will need to be re-run, specifically step #3
- Open the Microsoft Azure AD portal and log in as a Global Administrator. The URL for Microsoft Azure AD portal is https://aad.portal.azure.com/
- Once logged in, click on ‘Azure Active Directory’.
- Now click on the “App registrations” menu, then click on the “+ New Registration” option.
- Fill in the App Registration form with the details outlined below:
Name: Dynamics 365 Portals Customer Login
Support Account Types: Accounts in any organizational directory (Any Azure AD directory - Multitenant)
Redirect URI (optional) :
Select ‘Web’ in the dropdown and enter your Portal base URL appended with ‘/signin-oidc’ in the text box.
E.g. : If your portal URL is ‘https://iotapsandbox.microsoftcrmportals.com/’ then the URL to be entered would be ‘https://iotapsandbox.microsoftcrmportals.com/ ’
Click the “Register” button, once done. You will now be redirected to the screen below. Note the “Application ID” – this will be required later.
- Open Dynamics 365 and navigate to Portals > Site Settings.
Create the following entries for this entity.
Name Value Authentication/OpenIdConnect/CustomerAzureAD/Authority https://login.windows.net/common Authentication/OpenIdConnect/CustomerAzureAD/Caption Customer Login Authentication/OpenIdConnect/CustomerAzureAD/ClientId [Use Application ID noted in step 3] Authentication/OpenIdConnect/CustomerAzureAD/ExternalLogoutEnabled True Authentication/OpenIdConnect/CustomerAzureAD/IssuerFilter https://sts.windows.net/*/ Authentication/OpenIdConnect/CustomerAzureAD/RedirectUri [See Notes below] Authentication/OpenIdConnect/CustomerAzureAD/ValidateIssuer False
Notes:The RedirectURI is the URL ending with /signin-oidc that was configured in step #4.
If you configured multiple URLs, then choose the one that you wish the user to be redirected to when they logout of the portal.
E.g.: specifying https://iotapsandbox.microsoftcrmportals.com/ will redirect the user to https://iotapsandbox.microsoftcrmportals.com/ upon logout, whereas specifying https://skyblue.microsoftcrmportals.com/ will redirect them to https://skyblue.microsoftcrmportals.com/
- Navigate to the Sign In page of your portal. You should see a button called “Customer Login”.
Click on the “Customer Login” button and specify an Azure AD login (Work or School account) that is not part of your own Azure AD. A consent form is presented the first time the customer logs in. If the user has administrative privileges, they can choose to “Consent on behalf of the organization”, which suppresses the consent for other users from that organization.
Upon completing the consent, the user is either logged into the portal (if ‘OpenRegistrationEnabled’ is enabled – see Additional Configuration Parameters section below) or redirected to the invitation redemption page.
- Congratulations! Your Dynamics 365 Portal is now configured to work with your customers’ Azure AD.
Additional Configuration Parameters
Some additional but relevant options to consider under Portal Site Settings.
Name Recommended Value Description Authentication/Registration/AzureADLoginEnabled False Changing this value will affect the visibility of the “AzureAD” button on the sign-in page. Users from your own Azure AD can use the ‘Customer Login’ we created above to login to the Portal Authentication/Registration/LocalLoginEnabled False
Enables or disables custom forms based logins.
If False, portal only allows logins via Invitations. If True, anyone can sign up for the portal.
https://login.windows.net/common If this is set, the Sign In button on the Portal will directly take the user to the Office 365 login page.