Azure guest accounts in CDS/Dyn365

Azure guest accounts in CDS/Dyn365

Azure Active Directory (AAD) has a feature where it allows users of foreign tennants to be granted access to the current tennant. In other word, if you are running contoso.com and a user of northwind.com would like to have access, you can add this user as a guest account in Azure. However, I have found that giving this user access to Dynamics is not fully straight forward, although, it is far from rocket science. In this article I will show how this is done.

Do note that I have heard from people in the product team that there are features of the powerplatfor that cannot currently be accessed using a guest account, I think it was Canvas Apps and Flow. I will have to try this out and get back to you (or someone else could! – I would appreciate a link back to this article) in a later article. I also do think that they are workin on this.

On a high level, what we need to do is:

  1. Add user in AAD
  2. Grant License
  3. Wait for the user to pop up in CDS/Dynamics
  4. Assign a security role in CDS/Dynamics

To start with, we need to go to the Azure Portal: https://portal.azure.com – and click on the AAD menu item on the left.

 

 

Browse to portal.azure.com -> click Azure Active Directory (AAD) -> Click Users

Click “New guest user”

Enter the email address of the user, and perhaps some nice personal email message showing you are not some evil spammer!

Then go to portal.office.com and you will now be able to see the new guest user in here.

Select the guest user and click “Edit product licenses” – Note, I have not been able to set licenses directly by opening the user, only this way.

Assign the license required, P2 or Dynamics Customer Engagement App or Plan – in the example above, a Dyn365CE Plan 1 (trial)

After you have assigned the guest user a license, you have to wait a while until the asynchronous service in O365 provisions the user in the CDS. This often is rather quick, but sometimes takes more time. When I was making this, it took more than 15 minutes.

To find the user in CDS/Dyn365 go to Settings and click on Security. (Old UI)

And then click on “Users” in the Security area.

This is how a guest user look like in Dynamics 365/CDS. It has a # sign in front of it. As you can see, I have another one with my name previously created.

The last thing that has to be done is to grant the guest user the correct role.

After this, just give the user the direct URL to the system and they should be able to log in with their normal users.

This is a very useful method to use when setting up trials for someone as they do not have to sign in with another account to access they system. I strongly recommend it.

As mentioned in the beginning of this article, there might still be some issues with using canvas apps and Flow using guest users, so do be aware that not all features could be available.

 

Hybrid NTLM Server Side Sync and Exchange 2013 Cert secrets

Hybrid NTLM Server Side Sync and Exchange 2013 Cert secrets

The server side sync is a technology for connecting Dynamics 365 CE to an Exchange server. When connecting an Online Dynamics 365 to an onprem Exchange there are some requirement that need to be met. These can be found here: https://technet.microsoft.com/sv-se/library/mt622059.aspx

Piping data to and from Exchange and Dynamics
By Quartl [CC BY-SA 3.0], from Wikimedia Commons

However, I just had a meeting with Microsoft and based on the version shown 2018-09-05, they have now added some new features that they haven’t had time to get into the documentation yet.

Some of the most interesting parts of the integration is that the it requires Basic Authentication for EWS (Exchange Web Service). Of the three types of authentication available Kerberos, NTLM and Basic, Basic Authentication is, as the name might hint, the least secure. Hence it is also not very well liked by many Exchange admins and may be a blocker for enabling Server Side Sync in Dynamics 365.

In the meeting I just had with Microsoft, they mentioned that they now support NTLM as well! That is great news as that will enable more organizations to enable Server Side Sync.

There is still a requirement on using a user with Application Impersonation rights which might be an issue as that can be viewed as having too high rights within the Exchange server. For this there is currently no good alternative solution. I guess making sure that the Dynamics Admins are trustworthy and knowing that the password is encrypted in Dynamics might ease some of that. But if the impersonation user is compromised, then a haxxor with the right tool or dev skills could compromise the entire Exchange server.

Microsoft also mentioned another common issue that can arise with the Outlook App when using SSS and hybrid connection to an Exchange 2013 onprem. It will show a quick alert saying “Can’t connect to Exchange” but it will be able to load the entire Dynamics parts.

This might be caused by the fact, according to Microsoft, that Exchange 2013, doesn’t automatically create a self-signed certificate that it can use for communication. Hence this has to be done.

This can be fixed by first creating a self signed certificate and then modify the authorization configuration using instruction found here . Lastly publish the certificate. It can also be a good idea to check that the certificate is still valid and hasn’t expired.

I will see if I can create a more detailed instruction on this later.

Gustaf Westerlund
MVP, Founder and Principal Consultant at CRM-konsulterna AB
www.crmkonsulterna.se

US Judge orders MSFT to hand over data stored in the EU

As I have previously discussed (on Software Advice in this article) the US laws regarding the rights for the US legal authorities to order US owned companies to hand over data is very strong. Hence, if one has sensitive data that might be of interest to any government agencies in the US, one should think once or twice about storing it in a data center owned by a US company (like Salesforce.com, Amazon, Microsoft, Google etc.).

A recent case in in New York has shown that this is not on theory but very much practice. In this case regarding an email account probably on outlook.com however the difference to SalesForce.com or CRM Online is purely academic.

On the positive side, Microsoft are fighting back trying to protect their customer, something I am very happy about. I do hope they do this for all customers.

The other direct positive side to this of course, is that Microsoft CRM can be aquired from other sources than from companies based in USA. For instance a standard CRM On-premise installation, or a partner hosted installation, which there are many service providers of, like Midpoint and our my own company CRM-Konsulterna in Sweden. SalesForce.com on the other hand, do not have this option, so if you have sensitive data, be careful, it might be ordered into the wrong hands.

Gustaf Westerlund
MVP, CEO and owner at CRM-konsulterna AB
www.crmkonsulterna.se

Snowden, Prism and if there is anything new under the sun

If you have been reading my blogs previously you might have noticed that I several times (More on the insecurity of dataExternal posting on if your cloud system is safe from the law) have written about the fact that I think that many companies are viewing clouding a bit too lightly, especially from the legal perspective that many countries governments perceive themselves of having the rights to your data if the data either resides in that country, travels through that country or is owned by a company in that country.

From this perspective, I must conclude that the Snowden case is not very surprising. It mearly confirms what I expected to be true all the time and I would say that anybody being surprised is rather showing exceptional naivety towards our governments.

Hence I would just again remind you, that if you have sensitive data, beware of all the threats to the data. There are hackers, lawyers, FBI agents, and XYZ-agents and you have to assess the interest of all potential parties to you data. Then understand and handle the risk in a controlled manner.

Gustaf Westerlund
MVP, CEO and owner at CRM-konsulterna AB
www.crmkonsulterna.se

Customer databases and Wikileaks

The latest news concerning wikileaks have some very important implications on CRM systems or xRM systems in general for that matter. How do you set the system up to avoid large information losses? There are some general things to be taken into consideration and some specifics for Microsoft Dynamics CRM.

For many companies, the list of customers, cases, interesting leads and business opportunities are among the most critical information the company has. If it gets into the wrong hands, the effects can be anything from embarssing to fatal. The latest weeks news concerning wikileaks has put this risk into some new light and it is a good time for companies to really put the right focus on this and handle the problem before it is too late. A competent CRM system like Microsoft Dynamics CRM, can, if security issues have not be properly addressed, be a great tool to very quickly export a lot of very business critical information.

There are some general tips that you really should address:

– How critical is the data? Which data is the most critical? Try to focus on the most important data instead of trying to set up fine masked security to cover all data. This will give you a bigger bang for the buck and also get the changes up and running quickly. Remember the fact that the chains often breaks at the weakest link, so focus on this link first.

– What legal aspects of the data do you have? Do all employees sign non-disclosure agreements and do they understand the severity of actually taking along some data to a competitor. In reality it is very hard to drive legal actions based on this but making sure all employees have understood the severity, will act proactivly to reduce the risk.

– Who can access the data? Usually not only the employees, IT-consultants, CRM- and ERP-consultants, and other contracted people might also have access.Trying to reduce the number of contractors, and signing company global NDA:s with contractors is usually a good idea.
 
– Where is the data stored? In these cloud computing times, this is not always a simple question. Data might be stored in a country with very rigid anti-terrorist or anti-piracy laws allowing government or other agencies to demand access to the data. If these government agencies judge that it be in their contrys best interest to send this information forward, this might also be done. Might sound a bit paranoid, but security policy is more about being paranoid than being naive. I would recommed hosting the system yourself or at a local partner. Preferably a partner of similar size to your own company since this will give you the same amount of flexibility and beaurocracy. This local partner will also be under the same national laws as your own company and have a more intimate relationship with your business than a huge corporation with a global hosting service.
 
– What is the weak link in the handling of data? It does not really matter if the CRM system in the cloud has astronomical encryption in the database and data transfers, if the people using the system have the same password in the CRM system as they have in all other online services like Facebook or Hotmail. Numerous examples have shown that people do share passwords between sites, and that cracking one site usually unlocks a lot more. An example can be a person using the same password for their local childcare portal as they do for their CRM at the global company they work for. The simple childcare portal, might be easily hacked with normal methods like SQL-injection and the passwords generated from this can then be used to access the global company CRM.
 
There are still more general principles to follow, I will not list them all here, if you have any you find particulary important, please leave a comment!
 
So, how do we handle this in Microsoft Dynamics CRM? There are several techniques that can be used but it is a constant battle between giving your users the power to really work with the data and making sure that the data is safe. Bellow are some of the more common ways of handling this:
 
– Security Roles and business units. The basic security architeture of Microsoft Dynamics CRM is really versatile and has very good support for separating users and data into different business units and then setting user roles to restrict access based on these business units. For instance, a team of telesales personell with a very high turnover of employees, can be set to only have read and write access to their own customers and opportunities and their team manager has the task of delegating the ownership of leads or opportunities to them. By using different roles, the senior sales team can on the other hand have access to all customers and business opportunities in the system. If a good separation of data can be done based on business units and security roles, this is a very good method since it is easy to set up and change, and still has very deep functionality in Dynamics CRM, going all the way down to the Filtered Views in the Dynamics CRM SQL-database.

– Disabling Excel export. Probably the most risky function in Dynamics CRM in regards to data theft from employees, is the Excel button. It can export any data the user has access to. There is a flag in the security roles, where this function can be switched off. It should be for all but powerusers, analysts and management.

– Limiting Excel export size. There is a way of manipulating the Dynamics CRM database to only allow a certain amount of rows in an excel export. As I have understood it, it is really a way of easing the load on the server and not really meant as a means of protecting data. It can only be set on a system wide way, which will limit the use of Excel for all users. You can read more about it in this blog entry, have a look in the comments, since it tells you how to set this for CRM 4. http://ronaldlemmen.blogspot.com/2006/11/maximum-amount-of-records-in-excel.html

– Custom Plugin code. Writing code that uses more complex functionality and filters the data can also be used. It need to trigger on the Retrieve, RetrieveMultiple and Execute methods. This is of course the moste versatile method. Even though it can be used to filter data that is accessed from the Dynamics CRM GUI it does not affect the Filtered Views in the database, so it is not a 100% solution but will work in most cases.

– Unsupported customizations. There is of course the dark side of customizations as well, by rewriting the database with new stored procedures, views, by modifying the existing CRM functionality, very deep changes can be made. This is not something I recommend since it will usually require deep reverse engineering and will seriously affect the upgradablity of the Dynamics CRM system.

This is a complex area and I would be happy to discuss it with you. Please leave a comment with your views on the subject. All comments are moderated to avoid spam.

Gustaf Westerlund
CEO, Chief Architect and co-Founder at CRM-konsulterna AB

http://www.crmkonsulterna.se/