Use Azure App Passwords for MFA enabled D365 authentication from Console App

If you have a Console App that authenticates to D365 using a credential (typically, an Administrator) but now the administrator is setup for Multi-Factor authentication, your Console App won’t work. So here’s what you can do.

If you first want to check out about enabling Multi-Factor Authentication, you can check my blog post on it here – Office 365 Admin: Quickly Enable Multi-factor authentication for users

Standard Authentication vs MFA enabled User

When there’s not MFA enabled for Dynamics 365 (Office 365) account credentials, you are able to connect to the organization with no issues and get the CRMServiceClient in your application easy.
authenticated

But, if you have Multi-Factor Authentication enabled for a credential that is used in Console Apps to connect to D365, the Console App will not connect and the CrmCerviceClient will have null as below with the error ‘Unable to Login to Dynamics CRM

unabletologin

Managing App Passwords on Azure Portal

Once you have multi-factor authentication enabled for your account, you can go to portal.azure.com and manage App Passwords as follows –

  1. In Azure Portal, go to your account settings.
    gotoaccount
  2. Then, go to Additional security verification
    additionalsecurityverification
  3. Look for App Passwords
    apppasswords
  4. You can manage and create more passwords here
    manageapppasswords
  5. Create a password if you don’t want to use a default one or want to use different passwords for different apps. Give it a suitable name and click Next
    createapppassword
  6. Copy the password as it is the only time it will be displayed.
    copypassowrd
  7. And you can see your passwords as you create them
    morepasswords

 

Implementing App Passwords in Console App

As the name suggests, App Passwords will let you create special passwords for applications to authenticate to Dynamics 365 without needing to go through multi-factor authentication like when you’re running a Console App to connect to Dynamics 365

  1. Go to the Password in the credentials in the App.Config of the Console Application
    oldpassword
  2. And replace it with the App Password
    newpassword
  3. Now, Build the application and run it. It will authenticate successfully.
    authenticated

Hope this helps! 🙂

 

Advertisements

Restrict User Access to a D365 instance using Security Groups

Use Case

You have multiple instances and you don’t want every member with a D365 license to be able to access each of those environments. How do you tackle this? Answer is using Security Groups on the Environments and Users.

Creating Security Group

In Office 365, create a Security Group and add members to it who should have access to the desired environment.

  1. Navigate to Groups in Office 365 and create a New Group. Give it a suitable name.
    creategroup
    groupname
  2. Add members to the Group who should have access. Click on Edit as shown below to Add members to the group and select the members and save it.
    editmembers
    addmembers
    membersadded
  3. Your Security Group is ready.
    securitygroupready

Apply Security Group to the D365 instance

  1. Navigate to Dynamics 365 Admin Center and select Edit on the instance you want to apply the Security Group on.
    editinstance
  2. Select the Security Group field and select the Security Group you created.
    selectsecuritygroup
  3. Click Next.
    clicknext
  4. Save once confirmed that you have selected the correct Security Group.
    saveinstance
    That’s it.

Who all can access the environment

All those are a part of the Security Group applied to the instance will have access to the environment including the Global Administrator
enabledusers

Rest of the users will be in the Disabled Users list
disabledusers

And if they try to access the environment, they will not be able to and will see this –
accessdenied

Hope that was easy! 🙂

D365 Quick Tip: Audit User Access in D365 v9 CE

One of the most common asks as an administration is to know when the user started accessing the system and from where.

In your Dynamics 365 Customer Engagement apps, you can enable Auditing for User Access.

Enable Auditing of User Access

You need to enable this feature once you enable Auditing on Organization level. Then, you can enable User Access Auditing as well

Navigate to Settings > Administration > System Settings and under Auditing tab

OR

Settings > Auditing > Global Audit Settings
systemSettings

Once the Auditing for User Access has started, the Audit Summary will record this –
userAuditStarted

And whenever a User logs into Dynamics 365 via the Web Application, Phone app or WebServices that provide authentication, the Auditing will be logged as shown below –

auditRecording

The Operation will be Access and the Event will be User Access via Web or User Access via Web Services.

If you want to enhance user login, you can quickly enable Multi-Factor Authentication for the users, read my blog on MFA here – Office 365 Admin: Quickly Enable Multi-factor authentication for users

Hope this quick tip helps. 🙂

Use Learning Path for your D365 v9.x Organization – Part 1 | Setup

Learning Path an intuitive feature as compared to Customized Help. Customized Help will take you to an entirely different section whereas Learning Path will guide you through the application when you use the system. This is a multi-part blog series which will walk-through the setup of Learning Path and use of Guided Task and Sidebar in Learning Path.

Also, I’ve you’ve already setup Learning Path on your org, you can read my post on using Sidebars in Learning Path – Use Learning Path Learning Path for your D365 v9.x Organization – Part 2 | Sidebar

And Guided Tasks is here – Use Learning Path for your D365 v9.x Organization – Part 3 | Guided Tasks

Learning Path is available on Customer Engagement and the organization must be on D365 December 2016 Update or later.

Let’s look at how you can enable this for your Organization

Opt-In for Learning Path

  1. First step is to go to Settings > Administration > System Settings. Under General Tab, find ‘Enable Learning Path’ and ‘Enable Learning Path Authoring’. Make sure ‘Use custom Help for customizable entities’ is set to No.
    optIn
  2. When you chose to enable Authoring, a confirmation will be asked for your consent according to Microsoft policies.
    confirmAuthoring

Learning Path Authoring Group

  1. When you’ve opted in for Learning Path Authoring, and in your navigation you go to Training > Content Library under Learning Path.
    lpSiteMap
  2. But you’ll be treated with this message below because you’ve not yet been added to the Group in Office 365.
    lpError

Add to Learning Path Authoring Group in O365

  1. In your Office 365 Admin Center, navigate to Groups as shown below
    authoringGroupInO365
  2. And you should add the Sys Admin user to the Learning Path Author groups as shown below –
    adminAddedToGroup

    Sync Roles in Content Library

    When you’ve enabled Learning Path successfully, you will need to check which Security Roles are enabled in Learning Path designer. The content is shown to users based on the precedence of their security roles.

    1. Navigate to Content Library, you’ll find Configuration button on top as shown below –
      configApp
    2. Under configuration, you’ll see Sync Role button which will sync security roles with Customer Engagement security roles. You can set your precedence of Security Roles before you Sync Roles.
      syncRoles
    3. Click Yes to confirm, it takes a few minutes while it’s happening in the back end.
      confirmSync
    4. Upon completion, you’ll see this message and you know you’re done.
      syncDone
    5. Once everything is setup, you’ll be ready to use Guided Task and Sidebar in Learning Path which I’l be covering in further blog posts in this series.
      lpReady

     

Here’s Part 2 – Use Learning Path Learning Path for your D365 v9.x Organization – Part 2 | Sidebar

And Part 3 – Use Learning Path for your D365 v9.x Organization – Part 3 | Guided Tasks

Office 365 Admin: Quickly Enable Multi-factor authentication for users

Here’s your guide to quickly setup a multi-factor authentication for an Office 365 user.

Manage Multi-Factor authentication

  1. Multi-factor authentication can be managed for the O365 under Services and add-ins. If you are in O365 Administrator, find the Services as shown below.
    addIns
  2. You can find this service called ‘Azure multi-factor authentication’. Select it.
    azureMFA
  3. Open the same and click on Manage multi-factor authentication. Also, I recommend you go through ‘Learn more about Azure multi-factor authentication’ before you proceed for licensing details. Please go through these links: https://docs.microsoft.com/en-gb/azure/active-directory/authentication/concept-mfa-howitworks
    manageMFA
  4. You’ll see a list of users who can be enabled for multi-factor authentication. In this example, I’ll select myself – Priyesh Wagh to enable my multi-factor authentication.
    enableMFA
  5. You can either directly enable for the user of invite them to register from the link provided in the screenshot –
    confirmEnable
  6. And that’s it. Multi-factor authentication is enabled for the user.
    enabled

Setting up MFA for the user

  1. When the user then logs into the system, they are asked to enter, they will prompted to enter additional log in information to setup MFA.
    moreInfoRequired
  2. I will be asked to enter the phone number and select the preference or either phone or text message.
    phoneEntered
  3. And you can proceed with your selected preference of text message or phone call. I’ve selected phone call in this case.
    callingIn.png
  4. And finally, it will be setup
    complted

Logging In

  1. As usual, when you log in. You’ll be asked to enter password.
    enterPassword
  2. Post that, 2-step authentication will take place and as I had selected Phone Call. The system will make a call on my phone and I’ll follow the instructions as asked (asked to press the # key to confirm)
    answerPhone
  3. Or, alternatively, it can ask you to enter the code received on your phone in text message.
    enterText

That’s it. Simplest way to get started with MFA. Furthermore, you can make the users to create App Passwords and enter contact methods etc. among other features as shown below –

otherOptions

Hope that was easy!