Manage user account synchronization
Applies To: CRM Online
[This topic is pre-release documentation and is subject to change in future releases.]
Because Microsoft Dynamics CRM Online user identities are provisioned through Microsoft Online Services, you have multiple options for managing user synchronization between your online and on-premises environments.
Decide on a user management approach
There are three possible methods to manage your user accounts:
Manage user accounts in Office 365
This is the simplest approach but can require more long-term administrative effort. Every time you create a new user account, you will need to create the user in two locations: on-premises and in Office 365. Name and password changes will require editing the accounts in both locations.
Synchronize on-premises directory objects with Office 365
Active Directory synchronization (also referred to as DirSync) sets up a one-way synchronization relationship between your on-premises Active Directory server and Office 365. You get the benefit of easing the burden of maintaining user accounts without significantly adding to your hardware and failover requirements. However, you will still need to maintain two sets of passwords for your on-premises Active Directory accounts and your Office 365 accounts.
Use Active Directory Federation Services (AD FS) to manage users
This approach requires careful planning for redundancy and failover and requires the most expertise and effort to deploy.
In this approach, users in your organization can use corporate credentials to access the services in Office 365 that your company subscribes to such as Microsoft Dynamics CRM Online. Users sign in once and don’t have to sign in again to access a different service. There’s a single password to manage.
Your decision on which method to choose is based largely on the size of your company and the depth and breadth of your IT resources.
Review the following resources to equip you to make the right decision for your company:
Tip for admins: provide a single sign-on organization URL for your users
If you’ve deployed synchronization with single sign-on (option 3 above), you can provide a URL to your users that takes advantage of your company’s Active Directory and simplifies the sign-in experience.
The URL follows this pattern:
https://<yourCRMOrganizationName>.crm.dynamics.com?whr=<yourFederationServiceIdentifier>
You can get the <yourCRMOrganizationName> by looking at the URL you use to access Microsoft Dynamics CRM Online. For example, in https://contoso.crm.dynamics.com, contoso is <yourCRMOrganizationName>.
Important
The following URLs would be used for subscriptions hosted in these locations.
- LATAM/SAM: https://< yourCRMorganizationname>.crm2.dynamics.com?whr=<yourFederationServiceIdentifier>
- EMEA: https://<yourCRMorganizationname>.crm4.dynamics.com?whr=<yourFederationServiceIdentifier>
- APAC: https://< yourCRMorganizationname>.crm5.dynamics.com?whr=<yourFederationServiceIdentifier>
- OCE: https://< yourCRMorganizationname>.crm6.dynamics.com?whr=<yourFederationServiceIdentifier>
- JPN: https://< yourCRMorganizationname>.crm7.dynamics.com?whr=<yourFederationServiceIdentifier>
- United States of America Government: https://< yourCRMorganizationname>.crm9.dynamics.com?whr=<yourFederationServiceIdentifier>
You can get the Federation Service identifier for your organization by using the following steps:
On the server that is running AD FS 2.0, click or tap Start > Administrative Tools > AD FS 2.0 Management.
In the console tree, right-click or tap AD FS 2.0, and then click or tap Edit Federation Service Properties.
Select the General tab.
Make note of your Federation Service identifier. For example: https://sts1.fabrikam.com/adfs/services/trust
Your URL should look like: https://contoso.crm.dynamics.com?whr=https://sts1.fabrikam.com/adfs/services/trust
Send this URL to your Microsoft Dynamics CRM Online users and encourage them to bookmark it.
Send comments about this topic to Microsoft.
© 2015 Microsoft. All rights reserved.