...
Dynamics 365 On-premise base URL.
ADFS base URL.
ADFS oAuth2 client id.
...
(Connector is using Authorization code grant flow for connection)
Create oAuth2 client in ADFS using PowerShell commands
1. Register new client application(s) to use with Connector
To register a new oAuth2 client You need to create separate clients for Connector G-Suite add-on, run the following from the Administrative PowerShell prompt -
...
| language | powershell |
|---|
...
and Automatic sync, depends on what you are using. Use the following re-direct URI for each clients.
Re-direct URI for G-Suite add-on - https://script.google.com/macros/d/17V0Pk2A7VTevuNUbsgXMCnfgYIvN6pblZduRWjLNoNDlw5SzIem3o0Hi/usercallback
...
Re-direct URI for Outlook add-in - https://outlook.ienterprises.com/outlook/mscrm/src/taskpane/app/oauth/token.html
Re-direct URI for Automatic sync - https://isync.ienterprises.com/oauth2client/mscrm.php
To register a new oAuth2 client for Automatic Sync, run the following from the Administrative PowerShell prompt -
| Code Block | ||
|---|---|---|
| ||
Add-ADFSClient -Name "oAuth2 Client forname iSynchere" -ClientId "some- uid here" -RedirectUri "https://isync.ienterprises.com/oauth2client/mscrm.phpre-direct uri here" |
** Replace “some - uid“ with a client id. Use this client id in connection settings.
Microsoft doc link :
https://docs.microsoft.com/en-us/powershell/module/adfs/add-adfsclient
2. Grant Application permission to CRM
For Windows Server 2016 and later :-
Grant Application permission to ADFS clients with the required scope(s), by running the following from Administrative PowerShell prompt -
| Code Block | ||
|---|---|---|
| ||
Grant-AdfsApplicationPermission -ClientRoleIdentifier "clientid" -ServerRoleIdentifier "Dynamics URI" -ScopeNames openid, user_impersonation |
Microsoft doc link :
https://docs.microsoft.com/en-us/powershell/module/adfs/grant-adfsapplicationpermission
For ADFS 3.0 on Windows Server 2012 R2 :-
Goto ADFS Management
Expand ADFS > Trust Relationships > Relying Party Trusts
Use the Add Relying Party Trust Wizard
Create a Relying party manually and Permit all users to access this relying party
Obtaining refresh tokens from ADFS
Refresh tokens are needed from ADFS to keep the login active. To set them you’d run the following from an Administrative PowerShell prompt -
...
This would issue access tokens with a lifetime of 10 minutes and refresh tokens to all clients with a lifetime of 14 days.
Microsoft doc link :
https://docs.microsoft.com/en-us/powershell/module/adfs/set-adfsrelyingpartytrust
...