Category Archives: Dynamics 365 Portals

Custom Web Roles and Entity Permissions

13 Thursday Feb 2020

Posted by in Dynamics 365 Portals, Power Platform, Uncategorized

Leave a comment

Tags

,

In the article we looked at out-of-the-box roles available and how they can be associated to a user. Entity Permissions basically allow user to perform operations on the data depending on the scope.

In this article we will define custom web roles and entity permissions for a users listed in the Contact entity.

PortalAccess9

Requirements definition for highlighted users are as per table below:

PortalAccess10

Defining Custom Web Role for Administrator and User

Navigate to Web Roles and click on New

PortalAccess11

PortalAccess12

Once Roles are defined add Contact records as the requirements table.

PortalAccess13

PortalAccess14

PortalAccess15

Now that Web Role is associated to a contact next we proceed with creating Entity Permission. Navigate to Entity Permissions > New 

PortalAccess16

Entities choosen Event and Event Registration having 1:N relationship

Create two entity permission(s) Entity User Role Permission and Administrator User Role Permission

PortalAccess17

PortalAccess18

PortalAccess19

PortalAccess20

 

PortalAccess21

Associate the newly created entity permission to Management User Role

PortalAccess22

PortalAccess23

 

PortalAccess24

 

Now associate the contact with the Web Role 

 

PortalAccess25

 

PortalAccess26

PortalAccess27

 

 

 

 

Portal Access Control

12 Wednesday Feb 2020

Posted by in Dynamics 365 Portals, Power Platform

Leave a comment

Tags

, ,

Once a user is granted access to Portal as either using a local or  external account permissions must be applied to different types of resources for the user.  Similar to conventional Web Portals, a Dynamics 365 CE Portal user typically will perform the following function(s):

  • View/Edit data
  • Read static content and other resources like images, documents etc.

The Security section of the portal provides the options to have fine grained control to resources and can be accessed from Power Apps portal > Settings > Site Settings. 

PortalAccess1

Navigate to Site Settings

PortalAccess2

PortalAccess3

An Authenticated user to the portal can get as far as only seeing the home page but to proceed beyond that the user must have Roles and Permissions in order to be able to perform functions.

The default Web Roles  available include Administrators, Anonymous Users, Authenticated Users. In this article we will look at how to go about assigning Roles and Permissions that are available OOTB (out-of-the box).

PortalAccess4

Noting that every portal user is a Contact record let us proceed with assigning with Roles and Permissions

  • Select Web Role and bring up the context menu under Related > Contacts to add a Contact record

PortalAccess5

 

PortalAccess6

Once a Web Role is assigned the next level of security hierarchy includes assigning permissions at the Entity level so that the user has access to the records. Record level permissions are dealt within Entity Permissions section under Security.

PortalAccess7

PortalAccess8

In the above screen snap shot a new permission is defined on Lead entity with permissions for Write/Create permissions. The privileges/actions that can be performed on Entity records include Read,Write,Create,Delete, Append and Append To. The Scope defines the boundary within which an authenticated user can perform actions on entity more information about scope can be found here

With the above basic introduction about access controls in the next article we will define custom roles and assign permissions.

Dynamics 365 CE Portal Login using Google

07 Friday Feb 2020

Posted by in Dynamics 365 Portals

1 Comment

Tags

In the previous article we looked at how to set up a trust between Dynamics 365 CE portal and third-party identity provider with Google as an example. Now we will look at registering a user having a Google account for access to Dynamics 365 CE portal.

Example Scenario:

Portal URL: https://spaceflight.powerappsportals.com

Google Account: girishsrini40@gmail.com

  • Access the Portal URL and click on Register tab and select “Google” under Register using an external account.

ExternalIDP19

ExternalIDP20

  • Once registered a new record in the Contact entity will be created as long as the email address is unique noting that one of the requirement for Dynamics 365 CE portal is that every e-mail address has to be unique. The view of the Contacts list in CRM will be as below:

ExternalIDP21

  • Complete other fields under Profile to complete the registration and save the information

ExternalIDP22

  • The updated profile information will be visible under Contacts in CRM

ExternalIDP23

  • The External Identities entity will map the created Contact record with third-party identity provider “Google”

ExternalIDP24

Once the user is registered authentication to portal can now be done through Google as identity provider.

ExternalIDP25

ExternalIDP26

ExternalIDP27

Will be redirected back to portal home page

ExternalIDP28

 

 

Portal Authentication using External Identity Provider

06 Thursday Feb 2020

Posted by in Dynamics 365 CE Online, Dynamics 365 Portals, Power Platform, PowerApps, Uncategorized

1 Comment

Tags

In the article we looked at aspects of Portal Authentication in the following section explains use of third-party identity providers for Portal Authentication.

External authentication using third-party identity providers use OAuth 2.0 protocol to grant access. First we briefly look at underlying concepts of OAuth 2.0.

OAuth 2.0 is a protocol that provides a user with limited access to resources on site. Access Tokens in string format hold the permissions granted to a user to access the resource.  The access tokens are generated in JSON Web Token (JWT) format the three parts of JWT include:

  • Header: Containing metadata about token and cryptographic algorithm
  • Payload: Set of claims, expiration time
  • Signature: Used for token validation

More information about OAuth 2.0 can be obtained from  here. In the context of Dynamics 365 CE portals (power apps portals) the supported Identity Providers (IDP’s) that use OAuth 2.0 are listed here

For demonstration the portal url that will be used is https://spaceflight.powerappsportals.com this is portal provisioned on Dynamics 365 CE Instance.

Consider we want to use Google as third-party identity provider the high level the steps are:

  • Register application
  • Obtain “Client ID” and “Client Secret” pair after registration
  • Configure Client ID and Client Secret in portal site settings to establish secure connection

Registering Application

Logon on GoogleDeveloperConsole here and create a new project

ExternalIDP1

ExternalIDP2

ExternalIDP3

Once the project is successfully created click on “Create Credentials” and choose OAuth client ID as we require “Client ID” & “Client Secret” that are to be used in portal settings

ExternalIDP4

You will be prompted to set a product name on consent screen

ExternalIDP6

ExternalIDP7

In the OAuth consent screen enter the application details

ExternalIDP8

After OAuth consent details are set (this step is kind of similar to what one would do while setting up ADFS Relying Party Trust) select Application Type > Web application

ExternalIDP9

At this stage Client ID and Client Secret will be generated

ExternalIDP10

The above two can always be retrieved from:

ExternalIDP11

ExternalIDP12

There is an option to download the settings as a JSON file.

After the preceding steps above we have essentially set up our portal as a Relying Party and got a reference to Client ID and Client Secret that OAuth 2.0 generates and these now need to be referenced in Portal settings.

ExternalIDP13

ExternalIDP14

The existing OAuth 2.0 providers will be listed as per below

ExternalIDP15

For Google to be used as identity provider add the following OpenIdConnect settings more information can be found here

ExternalIDP16

As a final step Restart the portal from PowerApps Portals admin center

ExternalIDP17

 

Once restart is complete accessing the portal should display Google as the external identity provider

ExternalIDP18

In the next article we will register a external user and login into portal using Google as identity provider.

Portal Authentication

02 Sunday Feb 2020

Posted by in Dynamics 365 Portals, Power Platform

1 Comment

Tags

Dynamics 365 CE portal users can be anonymous, customers/partners, admin users with varying access permissions and type of resources accessed include content, data.

Anonymous Users: Should be given minimal amount of access.

Customers/Partners: Should be able to logon and modify the data

Admin Users: Have access to information to enable decision-making process.

Two modes of Authentication are supported for Dynamics 365 portal

  • Local Authentication: Implemented using forms based authentication (FBA) model and the user will be a Contact record in Dynamics 365 CE instance
  • External Authentication: Uses ASP.NET Identity API model and authentication is performed using third-party IDP (Identity provider) for example Azure AD, Google etc.

Authentication using System User:

A system user having access to Dynamics 365 CE instance organization will be an Azure AD user.

Example scenario:

Portal URL https://spaceflight.powerappsportal.com

Login User: girishs@idyconsulting.onmicrosoft.com

PortalAuth1

Click on Azure AD and logon

PortalAuth2

It should now redirect to the home page

PortalAuth3

Authentication using Local Account (Contact Record):

PortalAuth4

Note Email has to be unique for every registered user. Once successfully registered the user will appear as a contact in CRM

PortalAuth5

The password entered during registration will be stored as a hash and this can be viewed from using Advanced Find

PortalAuth6

The following solutions must be present in the Dynamics 365 CE Instance/Org for the portal authentication to work, by default they are installed once portal is provisioned.

PortalAuth7