Category Archives: Power Platform

Custom Web Roles and Entity Permissions

13 Thursday Feb 2020

Posted by in Dynamics 365 Portals, Power Platform, Uncategorized

Leave a comment

Tags

,

In the article we looked at out-of-the-box roles available and how they can be associated to a user. Entity Permissions basically allow user to perform operations on the data depending on the scope.

In this article we will define custom web roles and entity permissions for a users listed in the Contact entity.

PortalAccess9

Requirements definition for highlighted users are as per table below:

PortalAccess10

Defining Custom Web Role for Administrator and User

Navigate to Web Roles and click on New

PortalAccess11

PortalAccess12

Once Roles are defined add Contact records as the requirements table.

PortalAccess13

PortalAccess14

PortalAccess15

Now that Web Role is associated to a contact next we proceed with creating Entity Permission. Navigate to Entity Permissions > New 

PortalAccess16

Entities choosen Event and Event Registration having 1:N relationship

Create two entity permission(s) Entity User Role Permission and Administrator User Role Permission

PortalAccess17

PortalAccess18

PortalAccess19

PortalAccess20

 

PortalAccess21

Associate the newly created entity permission to Management User Role

PortalAccess22

PortalAccess23

 

PortalAccess24

 

Now associate the contact with the Web Role 

 

PortalAccess25

 

PortalAccess26

PortalAccess27

 

 

 

 

Portal Access Control

12 Wednesday Feb 2020

Posted by in Dynamics 365 Portals, Power Platform

Leave a comment

Tags

, ,

Once a user is granted access to Portal as either using a local or  external account permissions must be applied to different types of resources for the user.  Similar to conventional Web Portals, a Dynamics 365 CE Portal user typically will perform the following function(s):

  • View/Edit data
  • Read static content and other resources like images, documents etc.

The Security section of the portal provides the options to have fine grained control to resources and can be accessed from Power Apps portal > Settings > Site Settings. 

PortalAccess1

Navigate to Site Settings

PortalAccess2

PortalAccess3

An Authenticated user to the portal can get as far as only seeing the home page but to proceed beyond that the user must have Roles and Permissions in order to be able to perform functions.

The default Web Roles  available include Administrators, Anonymous Users, Authenticated Users. In this article we will look at how to go about assigning Roles and Permissions that are available OOTB (out-of-the box).

PortalAccess4

Noting that every portal user is a Contact record let us proceed with assigning with Roles and Permissions

  • Select Web Role and bring up the context menu under Related > Contacts to add a Contact record

PortalAccess5

 

PortalAccess6

Once a Web Role is assigned the next level of security hierarchy includes assigning permissions at the Entity level so that the user has access to the records. Record level permissions are dealt within Entity Permissions section under Security.

PortalAccess7

PortalAccess8

In the above screen snap shot a new permission is defined on Lead entity with permissions for Write/Create permissions. The privileges/actions that can be performed on Entity records include Read,Write,Create,Delete, Append and Append To. The Scope defines the boundary within which an authenticated user can perform actions on entity more information about scope can be found here

With the above basic introduction about access controls in the next article we will define custom roles and assign permissions.

Legacy Settings Power platform Admin

09 Sunday Feb 2020

Posted by in Dynamics 365 CE Online, Power Platform

Leave a comment

Tags

,

I was hoping to import a solution into Dynamics 365 CE online instance by easily navigating to Settings > Solutions > Import Solution, very easily done in On-premise. Turns out with all things being centralized in Power Platform Admin portal it look a while to figure out where to find the UI to do the solution import/export and the screen snap shots I present here is a guide and will change as Dynamics 365 CE Online platform keeps evolving.

ImportSolution1

  • Click on Dynamics 365 as highlighted and should bring up the following home page

ImportSolution2

  • Click on Dynamics 365 -custom and it should take you to the Organization/Instance home page. Settings > Advanced Settings menu option now takes us to the Power Platform admin center home page

ImportSolution3

ImportSolution4

Resources > All legacy settings will bring up the UI that we are traditionally used to in performing tasks on CRM solutions.

 

 

 

Portal Authentication using External Identity Provider

06 Thursday Feb 2020

Posted by in Dynamics 365 CE Online, Dynamics 365 Portals, Power Platform, PowerApps, Uncategorized

1 Comment

Tags

In the article we looked at aspects of Portal Authentication in the following section explains use of third-party identity providers for Portal Authentication.

External authentication using third-party identity providers use OAuth 2.0 protocol to grant access. First we briefly look at underlying concepts of OAuth 2.0.

OAuth 2.0 is a protocol that provides a user with limited access to resources on site. Access Tokens in string format hold the permissions granted to a user to access the resource.  The access tokens are generated in JSON Web Token (JWT) format the three parts of JWT include:

  • Header: Containing metadata about token and cryptographic algorithm
  • Payload: Set of claims, expiration time
  • Signature: Used for token validation

More information about OAuth 2.0 can be obtained from  here. In the context of Dynamics 365 CE portals (power apps portals) the supported Identity Providers (IDP’s) that use OAuth 2.0 are listed here

For demonstration the portal url that will be used is https://spaceflight.powerappsportals.com this is portal provisioned on Dynamics 365 CE Instance.

Consider we want to use Google as third-party identity provider the high level the steps are:

  • Register application
  • Obtain “Client ID” and “Client Secret” pair after registration
  • Configure Client ID and Client Secret in portal site settings to establish secure connection

Registering Application

Logon on GoogleDeveloperConsole here and create a new project

ExternalIDP1

ExternalIDP2

ExternalIDP3

Once the project is successfully created click on “Create Credentials” and choose OAuth client ID as we require “Client ID” & “Client Secret” that are to be used in portal settings

ExternalIDP4

You will be prompted to set a product name on consent screen

ExternalIDP6

ExternalIDP7

In the OAuth consent screen enter the application details

ExternalIDP8

After OAuth consent details are set (this step is kind of similar to what one would do while setting up ADFS Relying Party Trust) select Application Type > Web application

ExternalIDP9

At this stage Client ID and Client Secret will be generated

ExternalIDP10

The above two can always be retrieved from:

ExternalIDP11

ExternalIDP12

There is an option to download the settings as a JSON file.

After the preceding steps above we have essentially set up our portal as a Relying Party and got a reference to Client ID and Client Secret that OAuth 2.0 generates and these now need to be referenced in Portal settings.

ExternalIDP13

ExternalIDP14

The existing OAuth 2.0 providers will be listed as per below

ExternalIDP15

For Google to be used as identity provider add the following OpenIdConnect settings more information can be found here

ExternalIDP16

As a final step Restart the portal from PowerApps Portals admin center

ExternalIDP17

 

Once restart is complete accessing the portal should display Google as the external identity provider

ExternalIDP18

In the next article we will register a external user and login into portal using Google as identity provider.

Portal Authentication

02 Sunday Feb 2020

Posted by in Dynamics 365 Portals, Power Platform

1 Comment

Tags

Dynamics 365 CE portal users can be anonymous, customers/partners, admin users with varying access permissions and type of resources accessed include content, data.

Anonymous Users: Should be given minimal amount of access.

Customers/Partners: Should be able to logon and modify the data

Admin Users: Have access to information to enable decision-making process.

Two modes of Authentication are supported for Dynamics 365 portal

  • Local Authentication: Implemented using forms based authentication (FBA) model and the user will be a Contact record in Dynamics 365 CE instance
  • External Authentication: Uses ASP.NET Identity API model and authentication is performed using third-party IDP (Identity provider) for example Azure AD, Google etc.

Authentication using System User:

A system user having access to Dynamics 365 CE instance organization will be an Azure AD user.

Example scenario:

Portal URL https://spaceflight.powerappsportal.com

Login User: girishs@idyconsulting.onmicrosoft.com

PortalAuth1

Click on Azure AD and logon

PortalAuth2

It should now redirect to the home page

PortalAuth3

Authentication using Local Account (Contact Record):

PortalAuth4

Note Email has to be unique for every registered user. Once successfully registered the user will appear as a contact in CRM

PortalAuth5

The password entered during registration will be stored as a hash and this can be viewed from using Advanced Find

PortalAuth6

The following solutions must be present in the Dynamics 365 CE Instance/Org for the portal authentication to work, by default they are installed once portal is provisioned.

PortalAuth7

Administering Dynamics 365 CE Subscription

25 Saturday Jan 2020

Posted by in Azure AD, Dynamics 365 CE Online, Power Platform

Leave a comment

Tags

, ,

Microsoft 365 Admin Center will provide the ability to create users requiring access to Dynamics 365 CE.

In the screen snap shot below there are two users one without a Dynamics 365 CE licence

Administer1

Of the two users listed above user “John Smith” has no license assigned and hence cannot access Dynamics 365 CE apps. Logging on to https://portal.office.com using jsmith@idyconsulting.onmicrosoft.com will display the following landing page.

Administer2

 

Product licenses can be allocated/managed from Microsoft 365 admin center

Administer3

Azure AD view for the above two user(s):

Within Azure AD admin portal the users will have the following roles assigned

Administer4

Administer5

From the above we can look up Assigned roles, Groups etc. The Global Administrator role provides capability to manage all aspects of Azure AD, Services that use Azure AD identities. Within Dynamics 365 CE a Azure AD user with Global Administrator role will have the following roles assigned to the instance.

  • Common Data Service User
  • System Administrator

Administer6

Administer7

 

For solution management and other aspects of customization assign “System Customizer” role.

Office 365 admin roles related to Microsoft Dynamics 365

  • Global Admin: Provides administrative features to Office 365 suite of services. By default initial signing account will be global admin and additional administrators can be added.
  • Billing Administrator: To manage all aspects of subscription
  • User Management Administration: For password resets, service health monitoring, user account provisioning.
  • Dynamics 365 Administrator: To manage Dynamics 365 at the tenant level without the need of having a Global Admin role assigned to user.