Modern Authentication (Microsoft Dynamics365)
What it's about
XCALLY gives the possibility to use Modern Authentication for Dynamics365 Accounts.
Modern Authentication is an umbrella term for a combination of authentication and authorization methods between a client and a server. It includes:
Authentication methods: Multi-factor authentication (MFA); smart card authentication; client certificate-based authentication
Authorization methods: Microsoft's implementation of Open Authorization (OAuth)
Conditional access policies: Mobile Application Management (MAM) and Microsoft Entra ID and Conditional Access
Very simplistic we can say, that with modern authentication, the client is talking to the service and getting redirected to Azure AD for authentication with the username and password or other methods like MFA.
How to set up
To activate the Modern Authentication for a new Dynamics365 Account on XCALLY, you need to:
A. Register an application in the Azure Portal
B. Configure a new Cloud Provider on XCALLY by choosing Microsoft Azure as a service and Dynamics365 as the type
C. Authenticate the Cloud Provider Account
D. Associate the Cloud Provider with the Dynamics365 Integration Account on XCALLY
Azure AD application registration
Registering an application in the Azure Portal, the Microsoft identity platform can provide authentication and authorization services for your application and its users.
App Registration
Follow these steps to create the app registration:
Sign in to the Azure portal
If you have access to multiple tenants, use the Directories + subscriptions filter in the top menu to switch to the tenant in which you want to register the application
Search for and select Microsoft Entra ID
Under Manage, select App registrations > New registration
Enter a display Name for your application. Users of your application might see the display name when they use the app, for example during sign-in. You can change the display name at any time and multiple app registrations can share the same name. The app registration's automatically generated Application (client) ID, not its display name, uniquely identifies your app within the identity platform
Specify who can use the application, sometimes called its sign-in audience
Supported account types | Description |
---|---|
Accounts in this organizational directory only | Select this option if you're building an application for use only by users (or guests) in your tenant. |
Accounts in any organizational directory | Select this option if you want users in any Azure Active Directory (Azure AD) tenant to be able to use your application. This option is appropriate if, for example, you're building a software-as-a-service (SaaS) application that you intend to provide to multiple organizations. |
Accounts in any organizational directory and personal Microsoft accounts | Select this option to target the widest set of customers. |
Don't enter anything for Redirect URI (optional). You'll configure a redirect URI in the next section
Select Register to complete the initial app registration
When registration finishes, the Azure Portal displays the app registration's Overview pane. You see the Application (client) ID. Also called the client ID, this value uniquely identifies your application in the Microsoft identity platform.
Your application's code, or more typically an authentication library used in your application, also uses the client ID. The ID is used as part of validating the security tokens it receives from the identity platform.
The Application (client) ID and Directory (tenant) ID values will be needed during the Cloud Provider Configuration phase.
Authentication- Redirect URI
The authorization server sends the code or token to the redirect URI, so it's important you register the correct location as part of the app registration process.
A Redirect URI, or reply URL, is the location where the Microsoft identity platform redirects a user's client and sends security tokens after authentication.
Follow these steps to add a Redirect URI:
In the Azure Portal, under Manage, select Authentication (from the left Menu)
Under Platform configuration, select Add a platform
Under Configure platforms, select Web Applications
Enter the following Redirect URI:
(Replace "motionserverhost" with your motion server host value)
The Redirect URI will be needed during the Cloud Provider Configuration phase.
Credentials- Client Secret
Credentials allow your application to authenticate as itself, requiring no interaction from a user at runtime.
Credentials are used by confidential client applications (apps that run on servers) that access a web API. Types of credentials are Certificates and Client secrets. Will will use Client Secrets.
A client secret is a secret string value your app can uses to prove its identity when requesting a token. Also can be referred to as application password.
Follow these steps to add a Client Secret:
In the Azure portal, under Manage, select Certificates & secrets (from the left Menu)
Select Client secrets > New client secret
Add a description for your client secret
Select an expiration for the secret or specify a custom lifetime
Client secret lifetime is limited to two years (24 months) or less. You can't specify a custom lifetime longer than 24 months
Microsoft recommends that you set an expiration value of less than 12 months
Select Add
Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page.
The Client secret value will be needed during the Cloud Provider Configuration phase.
API Permission
Let's see how to provide a client app registered with the Microsoft identity platform with permissions-based access to the web API and access to Microsoft Graph.
Client applications typically need to access resources in a web API. Applications are authorized to call APIs when they are granted permissions by users/admins as part of the consent process. The list of configured permissions should include all the permissions the application needs.
Configure delegated permission to Microsoft Graph to enable your client application to perform operations on behalf of the logged-in user, for example reading their email or modifying their profile. By default, users of your client app are asked when they sign in to consent to the delegated permissions you've configured for it.
Select API permissions > Add a permission > Microsoft Graph
Select Delegated permissions.
Add the following permissions:
Permission | Description |
---|---|
| Access Common Data Service as organization users |
| Maintain access to data you have given it access to |
| Sign users in |
Select Add permissions to complete the process.
Whenever you configure permissions, users of your app are asked at sign-in for their consent to allow your app to access the resource API on their behalf.
For these permissions, it is not necessary to provide the consent of an Administrator, as indicated by the column Admin consent required.
Cloud Provider Configuration
To use Modern Authentication to authenticate Dynamics365 Accounts, you need to configure Microsoft Azure as service of the Cloud Provider on XCALLY.
Follow these steps to configure the Cloud Provider:
On XCALLY, under Tools, select Cloud Providers (from the left Menu)
Click on the button (on the lower right) and create a New Account
Enter the parameters of the application previously created in the Azure Portal:
Name: Enter a Name
Service: Select Microsoft Azure
Type: Select Dynamics365
Application Id: Insert the Application (client) ID value
Tenant Id: Insert the Directory (tenant) ID value
Client Secret: Insert the Client secret value
Redirect URI: Insert the Redirect URI
Remote URI: Insert your Dynamics365 tenant URL
Cloud Provider Account Authentication
With the use Modern Authentication, the Cloud Provider Account must be authenticated.
Follow these steps to authenticate the Cloud Provider:
On XCALLY, under Tools, select Cloud Providers (from the left Menu)
Select the specific Cloud Provider Account, then click on the 3 dots button
From the menu, select Authenticate
You will be redirected to Microsoft Dynamics365, where you insert your Credentials and you need to accept the App access authorization
The Authentication to the Microsoft Identity Platform will be notified on XCALLY
Cloud Provider association with the Dynamics365 Integration Account
To use Modern Authentication for a Dynamics365 Account, you need to associate the specific Account with the Cloud Provider using Microsoft Azure.
Follow these steps to configure the Cloud Provider:
On XCALLY, under Integrations, select Dynamics365 Accounts (from the left Menu)
Click on the button (on the lower right) to create a New Dynamics365 Account
Select the Cloud Provider connection
Click on Add New Dynamics365 Account
Client Secret Update
Once generated, the Client Secret value is never displayed again neither in the Azure Portal nor on XCALLY.
To edit the Client Secret:
Generate a new Client Secret Value on the Azure Portal
Update the Client Secret Value on XCAlly:
On XCALLY, under Tools, select Cloud Providers (from the left Menu)
Select the specific Cloud Provider Account, then click on the yellow button
From the menu, select Update Client Secret
Enter the New Client Secret and then click on Save.