Post-installation and configuration guidelines for Microsoft Dynamics CRM 2013


Applies To: Dynamics CRM 2013

This section describes several of the tasks that the Microsoft Dynamics CRM administrator should consider after the Microsoft Dynamics CRM Server application is installed. This section isn’t meant to be an exhaustive resource used to configure deployments. Instead, use this section as a guideline to determine what best practices to implement and features to configure, based on your organization's needs.

All new and upgraded organizations use data encryption that uses an encryption key to secure data such as user passwords for email mailboxes and Yammer accounts. This encryption key may be required to use Microsoft Dynamics CRM after a redeployment or failure recovery. We strongly recommend that you make a copy of the encryption key and save it to a secure location. More information: Copy your organization data encryption key

With any network design, it is important to consider the security of your organization's client-to-server communications. When making necessary decisions that can help protect data, we recommend that you understand the following information about Microsoft Dynamics CRM network communication and about the technology options that are available that provide more secure data transmissions.

If you installed Microsoft Dynamics CRM or upgraded to Microsoft Dynamics CRM 2013 to an internally-facing website that isn’t already configured for HTTPS, Microsoft Dynamics CRM client-to-server communications are not encrypted. When using a website that supports only HTTP, information from CRM clients is transmitted in clear text and, therefore, possibly vulnerable to malicious intent, such as "man-in-the-middle" type attacks that could compromise content by adding scripts to perform harmful actions.

Configuring a site for HTTPS will cause a disruption in the Microsoft Dynamics CRM application so plan the configuration when there will be minimal disruption to users. The high-level steps for configuring Microsoft Dynamics CRM for HTTPS are as follows:

  1. In Microsoft Dynamics CRM Deployment Manager, disable the server where the Web Application Server, Organization Web Service, Discovery Web Service, and Deployment Web Service roles are running. If this is a Full Server deployment, all server roles are running on the same computer. For information about how to disable a server, see Microsoft Dynamics CRM Deployment Manager Help.

  2. Configure the website where the Web Application Server role is installed to use HTTPS. For more information about how to do this, see Internet Information Services (IIS) Help.

  3. Set the binding in Deployment Manager. This is done on the Web Address tab of the Properties page for the deployment. For more information about how change the bindings see the "Microsoft Dynamics CRM deployment properties" topic in Deployment Manager Help.

  4. If you want to make other CRM services more secure and Microsoft Dynamics CRM is installed by using separate server roles, repeat the previous steps for the additional server roles.

After all Microsoft Dynamics CRM Server roles are installed, you can configure the deployment so that remote users can connect to the application through the Internet. To do this, start Rule Deployment Manager and complete the Configure Claims-Based Authentication Wizard followed by the Internet-Facing Deployment Configuration Wizard. Alternatively, you can complete these tasks using Windows PowerShell.


For Microsoft Dynamics CRM for tablets to successfully connect to a new deployment of Microsoft Dynamics CRM Server 2013, you must run a Repair of Microsoft Dynamics CRM Server 2013 on the server running IIS where the Web Application Server role is installed after the Internet-Facing Deployment Configuration Wizard is successfully completed. More information: Uninstall, change, or repair Microsoft Dynamics CRM Server 2013

For more information about configuring Microsoft Dynamics CRM for claims-based authentication, see Configure IFD for Microsoft Dynamics CRM 2013.

The Microsoft Dynamics CRM 2013Best Practices Analyzer is a diagnostic tool that performs the following functions:

  • Gathers information about the Microsoft Dynamics CRM 2013 server roles that are installed on that server.

  • Determines if the configurations are set according to the recommended best practices.

  • Reports on all configurations, indicating settings that differ from recommendations.

  • Indicates potential problems in the Microsoft Dynamics CRM 2013 features installed.

  • Recommends solutions to potential problems.

The Microsoft Dynamics CRM 2013 Best Practices Analyzer has the following requierments:

  • At least one CRM 2013 Server role on the computer where Dynamics CRM 2013 BPA is running.

  • Microsoft Baseline Configuration Analyzer 2.0 installed where the Best Practices Analyzer is running. Download Microsoft Baseline Configuration Analyzer 2.0.

  • The user who is running the Best Practices Analyzer must be a member of the administrators group on the local computer that is scanned.


This version of the Best Practices Analyzer doesn’t support the following features:

  • Remote capability.

  • Best practices analytics for CRM for Outlook.

  • Download the Microsoft Dynamics CRM 2013 Best Practices Analyzer from the Microsoft Download Center.

  • Double-click MicrosoftDynamicsCRMBPA.msi.

  • On the Welcome screen, click Next.

  • If you accept the terms, click I accept the terms in the License Agreement, and then click Next.

  • If you allow Dynamics CRM BPA to modify the Windows PowerShell settings, click Select to continue, or cancel to exit Setup, and then click Next.

  • Click Install.

  1. Click All Programs, right-click Microsoft Baseline Configuration Analyzer 2.0, and then click Run as Administrator.

  2. In the Select a product list, click , click Dynamics CRM 2013 BPA, and then click Start Scan.

  3. If the Enter Parameters screen appears, enter the name of the computer where the CRM server roles are installed. For the local computer, you can enter *.

View the scan results

On the Noncompliant tab, expand Error or Warnings to view any errors or warnings that may have been detected. For detailed information, click each error. To view all results of the scan, including Compliant results, click the All tab.

Sample data is available to help you become familiar with how Microsoft Dynamics CRM works. By using sample data, work with records and see how they relate to each other, how data displays in charts, and see what information is in reports.

Sample data can be added or removed from within the CRM application. For more information about sample data, see the "Manage Sample Data" topic in Microsoft Dynamics CRM Help.

After you've completed installing Microsoft Dynamics CRM, but before the business users in your organization start using it, there are some basic tasks that you, as the CRM administrator, should complete. These tasks include defining business units and security roles, adding users, and importing data.

More information: Set up a CRM organization

Use solutions to extend functionality and the user interface. Customizers and developers distribute their work as solutions. Organizations use Microsoft Dynamics CRM to install and uninstall the solution.


Installing a solution or publishing customizations can interfere with normal system operation. We recommend that you schedule solution imports when it’s least disruptive to users.

For more information about how to install a solution, see Install, upgrade, or uninstall a solution from the Microsoft Dynamics Marketplace.

By default, the Navigation Tour video prompt appears the first time a user signs in to Microsoft Dynamics CRM 2013 and Microsoft Dynamics CRM Online using a web browser. The video prompt won’t appear on subsequent sign-ins after the user clicks Don’t show me this again. Notice that, if the user clears the browser cache or signs in from a different computer’s web browser, the video prompt will display again.

For the typical deployment the Navigation Tour video can be a valuable learning tool for users new to Microsoft Dynamics CRM 2013. However, for some Microsoft Dynamics CRM (on-premises) deployments that use Remote Desktop Services or are highly customized, you may want to disable the video. To disable the video prompt, follow these steps from the Microsoft Dynamics CRM Server, where the Front End Server role is running.

  1. Start Registry Editor.

  2. Locate registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM.

  3. Right-click MSCRM, point to New, click DWORD (32-bit) Value, enter DisableNavTour, and then press ENTER.

  4. Right-click DisableNavTour, click Modify.

  5. In the Value data box, type 1, and then press ENTER.

  6. Close the Registry Editor.


You can run the Navigation Tour video at any time from a web browser running Microsoft Dynamics CRM 2013. To do this click or tap Settings and then click or tap Open Navigation Tour.

The following information describes how to configure Windows Server 2012 R2 with Active Directory Federation Services (AD FS) 2.2 to support Microsoft Dynamics CRM for tablets.


There are a few issues that were present when configuring AD FS 2.0 and 2.1 that are no longer needed for AD FS 2.2. For example, with 2.0/2.1 you had to configure the MEX endpoint using a script or obtain a hotfix. This isn’t needed with AD FS 2.2. In addition, AD FS 2.2 adds the rule “Pass through all UPN Claims” in the Active Directory claim provider trust by default, so the extra step to add the rule is no longer required.

By default, forms authentication is disabled in the intranet zone. You must enable forms authentication by following these steps.

  1. Log on to the AD FS server as an administrator.

  2. Open the ADFS management wizard.

  3. Click Authentication Policies > Primary Authentication > Global Settings > Authentication Methods > Edit.

  4. Click (check) Form Based Authentication on the Intranet tab.

Follow these steps to configure the OAuth provider in Microsoft Dynamics CRM.

  1. Log on to the Microsoft Dynamics CRM server as an administrator.

  2. In a Windows PowerShell console window, run the following script.

    $fedurl = Get-CrmSetting -SettingType ClaimsSettings
    $fedurl.FederationProviderType = 1
    Set-CrmSetting $fedurl

The mobile client apps for the Apple iPad and Windows 8 tablets and phone must be registered with AD FS.

  1. Log on to the AD FS server as administrator.

  2. In a PowerShell window, execute the following command.

    Add-AdfsClient -ClientId ce9f9f18-dd0c-473e-b9b2-47812435e20d -Name "Dynamics CRM Mobile Companion" -RedirectUri ms-app://s-1-15-2-2572088110-3042588940-2540752943-3284303419-1153817965-2476348055-1136196650/, ms-app://s-1-15-2-1485522525-4007745683-1678507804-3543888355-3439506781-4236676907-2823480090/, ms-app://s-1-15-2-3781685839-595683736-4186486933-3776895550-3781372410-1732083807-672102751/, urn:ietf:wg:oauth:2.0:oob