Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

« Previous Version 18 Next »

(Only for internet facing installation)

To connect to Dynamics 365 On-premise installation, user(s) need to provide -

  1. Dynamics 365 On-premise base URL.

  2. ADFS base URL.

  3. ADFS oAuth2 client id.

Create oAuth2 client in ADFS using PowerShell commands

1. Register new OAUTH2 client application(s) to use with Connector

You need to create separate clients for G-Suite add-on and Automatic sync, depends on what you are using. Use the following re-direct URI for each clients.

To register a new oAuth2 client, run the following from the Administrative PowerShell prompt -

Add-ADFSClient -Name "oAuth2 Client name here" -ClientId "some uid here" -RedirectUri "re-direct uri here"

** Replace “some uid“ with a client id. Use this client id in connection settings.

Microsoft doc link :

https://docs.microsoft.com/en-us/powershell/module/adfs/add-adfsclient

2. Grant Application permission to CRM

Grant Application permission to ADFS clients with the required scope(s), by running the following from Administrative PowerShell prompt -

Grant-AdfsApplicationPermission -ClientRoleIdentifier "clientid" -ServerRoleIdentifier "Dynamics URI" -ScopeNames openid, user_impersonation

Microsoft doc link :

https://docs.microsoft.com/en-us/powershell/module/adfs/grant-adfsapplicationpermission

Create oAuth2 client in ADFS Management

(Alternatively, oAuth client can also be created from ADFS management screen. Follow the steps below)

  1. In ADFS Management, right-click on Application Groups and select Add Application Group.

  2. On the Application Group Wizard, enter a Name  and under Client-Server applications select the Server application accessing a Web API template. Click Next.

  3. Copy the Client Identifier value. (This will be the ClientId we need for connection)

  4. Enter the Redirect URI. Click Add. Click Next

  5. On the Configure Application Credentials screen, you can optionally choose to Generate a shared secret and copy the secret. (This will be the ClientSecret we need for connection). Click Next.

  6. On the Configure Web API screen, enter the the Dynamics URI. Click Add. Click Next.

  7. On the Apply Access Control Policy screen, select Permit everyone and click Next.

  8. On the Configure Application Permissions screen, make sure openid and user_impersonation are selected and click Next.

  9. On the Summary screen, click Next.

  10. On the Complete screen, click Close.

Obtaining refresh tokens from ADFS

Refresh tokens are needed from ADFS to keep the login active. To set them you’d run the following from an Administrative PowerShell prompt -

Set-AdfsRelyingPartyTrust -TargetName "RPT Name" -IssueOAuthRefreshTokensTo AllDevices
Set-AdfsRelyingPartyTrust -TargetName "RPT Name" -TokenLifetime 10
Set-AdfsProperties -SSOLifetime 20160

This would issue access tokens with a lifetime of 10 minutes and refresh tokens to all clients with a lifetime of 14 days.

Microsoft doc link :

https://docs.microsoft.com/en-us/powershell/module/adfs/set-adfsrelyingpartytrust

https://docs.microsoft.com/en-us/powershell/module/adfs/set-adfsproperties

  • No labels