(You can proceed with the connection if your Only for internet facing installation)

To connect to Dynamics 365 On-premise installation is internet facing)

...

, user(s) need to provide -

...

1. Dynamics 365 On-premise base URL and click Connect button.

2. You will be prompted to enter additional information.

   Enter the

   ADFS

   Server

   base URL.

3. Enter the

   ADFS oAuth2

   ClientId.

4. Click Connect button again.

Contact your Dynamics CRM admin for the above details. If an oAuth2 client is not already configured, administrator can follow the instructions below.

(For connection from Connector G-Suite add-on, please contact iEnterprises support to whitelist the Dynamics 365 and ADFS URLs)

1. client id.

(Connector is using Authorization code grant flow for connection)

Create oAuth2 client in ADFS using PowerShell commands

1. Register new client application(s) to use with Connector

You need to create separate clients for Connector add-on and Automatic sync, depends on what you are using. Use the following re-direct URI for each clients.

• Re-direct URI for G-Suite add-on - https://script.google.com/macros/d/17V0Pk2A7VTevuNUbsgXMCnfgYIvN6pblZduRWjLNoNDlw5SzIem3o0Hi/usercallback

• Re-direct URI for Outlook add-in - https://outlook.ienterprises.com/outlook/mscrm/src/taskpane/app/oauth/token.html

• Re-direct URI for Automatic sync - https://isync.ienterprises.com/oauth2client/mscrm.php

To register a new oAuth2 client for automatic sync, run the following from the Administrative PowerShell prompt -

Add-ADFSClient -Name "oAuth2 Client forname iSynchere" -ClientId "some- uid here" -RedirectUri "re-direct uri here"

** Replace “some uid“ with a client id. Use this client id in connection settings.

Microsoft doc link :

https://

...

docs.

...

microsoft.com/

...

To register a new oAuth2 client for Connector G-Suite add-on, run the following from the en-us/powershell/module/adfs/add-adfsclient

2. Grant Application permission to CRM

For Windows Server 2016 and later :-

Grant Application permission to ADFS clients with the required scope(s), by running the following from Administrative PowerShell prompt -

AddGrant-ADFSClientAdfsApplicationPermission -NameClientRoleIdentifier "oAuth2 Client for Connectorclientid" -ClientIdServerRoleIdentifier "some-uidDynamics URI" -RedirectUri "ScopeNames openid, user_impersonation

Microsoft doc link :

https://

...

docs.

...

microsoft.com/

...

en-us/powershell/module/adfs/grant-adfsapplicationpermission

For ADFS 3.0 on Windows Server 2012 R2 :-

1. Goto ADFS Management

2. Expand ADFS > Trust Relationships > Relying Party Trusts

3. Use the Add Relying Party Trust Wizard

4. Create a Relying party manually and Permit all users to access this relying party

Obtaining refresh tokens from ADFS

Refresh tokens are needed from ADFS to keep the login active. To set them you’d run the following from an Administrative PowerShell prompt -

Set-AdfsRelyingPartyTrust -TargetName "RPT Name" -IssueOAuthRefreshTokensTo AllDevices
Set-AdfsRelyingPartyTrust -TargetName "RPT Name" -TokenLifetime 10
Set-AdfsProperties -SSOLifetime 48020160

This would issue access tokens with a lifetime of 10 minutes and refresh tokens to all clients with a lifetime of 8 hours.14 days.

Microsoft doc link :

https://docs.microsoft.com/en-us/powershell/module/adfs/set-adfsrelyingpartytrust

https://docs.microsoft.com/en-us/powershell/module/adfs/set-adfsproperties