(Only for internet facing installation)

To connect to Dynamics 365 On-premise installation, user(s) need to provide -

1. Dynamics 365 On-premise base URL.

2. ADFS base URL.

3. ADFS oAuth2 client id.

(Connector is using Authorization code grant flow for connection)

Create oAuth2 client in ADFS using PowerShell commands

1. Register new client application(s) to use with Connector

You need to create separate clients for Connector add-on and Automatic sync, depends on what you are using. Use the following re-direct URI for each clients.

• Re-direct URI for G-Suite add-on - https://script.google.com/macros/d/17V0Pk2A7VTevuNUbsgXMCnfgYIvN6pblZduRWjLNoNDlw5SzIem3o0Hi/usercallback

• Re-direct URI for Outlook add-in - https://outlook.ienterprises.com/outlook/mscrm/src/taskpane/app/oauth/token.html

• Re-direct URI for Automatic sync - https://isync.ienterprises.com/oauth2client/mscrm.php

To register a new oAuth2 client, run the following from the Administrative PowerShell prompt -

Add-ADFSClient -Name "oAuth2 Client name here" -ClientId "some uid here" -RedirectUri "re-direct uri here"

** Replace “some uid“ with a client id. Use this client id in connection settings.

Microsoft doc link :

https://docs.microsoft.com/en-us/powershell/module/adfs/add-adfsclient

2. Grant Application permission to CRM

For Windows Server 2016 and later :-

Grant Application permission to ADFS clients with the required scope(s), by running the following from Administrative PowerShell prompt -

Grant-AdfsApplicationPermission -ClientRoleIdentifier "clientid" -ServerRoleIdentifier "Dynamics URI" -ScopeNames openid, user_impersonation

Microsoft doc link :

https://docs.microsoft.com/en-us/powershell/module/adfs/grant-adfsapplicationpermission

For AD FS 3.0 on Windows Server 2012 R2 :-

1. Goto ADFS Management

2. Expand ADFS > Trust Relationships > Relying Party Trusts

3. Use the Add Relying Party Trust Wizard

4. Create a Relying party manually and Permit all users to access this relying party

Obtaining refresh tokens from ADFS

Refresh tokens are needed from ADFS to keep the login active. To set them you’d run the following from an Administrative PowerShell prompt -

Set-AdfsRelyingPartyTrust -TargetName "RPT Name" -IssueOAuthRefreshTokensTo AllDevices
Set-AdfsRelyingPartyTrust -TargetName "RPT Name" -TokenLifetime 10
Set-AdfsProperties -SSOLifetime 20160

This would issue access tokens with a lifetime of 10 minutes and refresh tokens to all clients with a lifetime of 14 days.

Microsoft doc link :

https://docs.microsoft.com/en-us/powershell/module/adfs/set-adfsrelyingpartytrust

https://docs.microsoft.com/en-us/powershell/module/adfs/set-adfsproperties