Walkthrough: Configure Microsoft Azure ACS for integration with Microsoft Dynamics CRM 2015
Applies To: CRM 2015 on-prem, CRM Online
This walkthrough guides you through configuring the Microsoft Azure Active Directory Access Control Service (ACS) 2.0 issuer, scope, and rules to allow a listener application to read the Microsoft Dynamics CRM messages posted to the Microsoft Azure Service Bus. This walkthrough applies to integration with any deployment type of Microsoft Dynamics CRM.
|The Plug-in Registration tool provided in the SDK is the recommended way to automate the configuration of ACS for basic scenarios. Refer to the section named “Configure ACS” in the topic Walkthrough: Register an Azure-aware plug-in with the CRM plug-in registration tool for instructions on how to configure ACS using the tool. For more advanced scenarios, you’ll need to use the Azure Management Portal described later in this topic. Download the Microsoft Dynamics CRM SDK package.|
As a prerequisite to this walkthrough, if you’re running Microsoft Dynamics CRM 2015 (on-premises or IFD), configure Microsoft Dynamics CRM 2015 for Microsoft Azure integration. For more information, see Walkthrough: Configure CRM for integration with Microsoft Azure. Microsoft Dynamics CRM Online is pre-configured for Microsoft Azure integration.
Create a new service namespace
If you have an existing ACS version 2 service namespace that you want to use, continue with the next section named Create a Service Identity.
|Do not use the Microsoft Azure portal to create a service namespace for use with Dynamics CRM. The portal will create a SAS namespace but CRM requires an ACS namespace.|
Download and install the Microsoft Azure PowerShell module. More information:How to install and configure Azure PowerShell
From the Start menu, open the Microsoft Azure PowerShell program and enter the following commands.
> Add-AzureAccount > New-AzureSBNamespace –Name YOUR_NAMESPACE -Location "YOUR_LOCATION" -CreateACSNamespace $true
Note Version 0.8.9 or later of Azure PowerShell supports the –CreateACSNamespace parameter in the New-AzureSBNamespace command. If your installed version of Azure PowerShell doesn’t support the –CreateACSNamespace parameter, install the latest version. To see the version of Azure PowerShell that you’re using, enter the command Get-Module Azure. Newer versions of the command may support a –NamespaceType parameter. If so, use –NamespaceType Messaging.
After you enter Add-AzureAccount, you’ll be prompted to provide the sign-in credentials for your Azure subscription. Substitute an appropriate namespace name for YOUR_NAMESPACE and an approximate location for YOUR_LOCATION. The supported locations are: Central US, East US, East US 2, North Central US, South Central US, West US, North Europe, West Europe, East Asia, Southeast Asia, Brazil South, Japan East, and Japan West.
After you enter these commands, the namespace is created and you should see output that looks similar to the following text.
Name : mynamespace Region : Central US DefaultKey : 1eKDTIYEACFP7Geiy5QV/hqJnWHeroJyKk/PBzv42Rw= Status : Active CreatedAt : 8/25/2014 3:36:47 PM AcsManagementEndpoint : https://mynamespace-sb.accesscontrol.windows.net/ ServiceBusEndpoint : https://mynamespace.servicebus.windows.net/ ConnectionString : Endpoint=sb://mynamespace.servicebus.windows.net/;SharedSecretIssuer=owner;SharedSecretValue=1 eKDTIYEACFP7Geiy5QV/hqJnWHeroJyKk/PBzv42Rw=
Create a service identity (issuer)
If you haven’t already done so, go to the Microsoft Azure Management Portal and sign in.
In the management portal, click Service Bus and then select your existing namespace in the list.
Click Connection Information.
At the bottom of the form, click Open ACS Management Portal.
Under Service Settings, select Service identities, and then click Add.
On the Add Service Identity page, enter a name for the issuer identity. This must be the same issuer name that Microsoft Dynamics CRM is configured with. You can find this issuer name in the CRM web application by choosing Settings > Customizations > Developer Resources.
Select a credential type of X.509 Certificate.
Browse to the location of the certificate on your local computer. Obtain the certificate by clicking the Download Certificate link on the Developer Resources page of the CRM web application.
If you’re working with Microsoft Dynamics CRM Online and see an indication that the certificate you obtained from that server is expired, you can ignore that warning.
Create a rule group and a rule
Create a rule for the target scope that will allow Microsoft Dynamics CRM to send or “post” to the Microsoft Azure Service Bus. You do this by configuring ACS to map the input “Organization” claim from Microsoft Dynamics CRM to the output “Send” claim of the Microsoft Azure Service Bus.
Below Trust relationships, select Rule groups.
Enter a name for the rule group and select Save.
On the Edit Rule Group page, click Add.
In the If section of the page, select Access Control Service.
For the input claim type, select Enter type and then enter http://schemas.microsoft.com/xrm/2011/Claims/Organization.
For the input claim value, select Enter value, and then enter the name of a Microsoft Dynamics CRM organization.
For an Internet-facing or on-premises deployment, enter the unique name of the desired organization in lowercase characters. You can find this name on the Developer Resources page of the CRM web application next to the Organization Unique Name label. To navigate to that page in CRM, choose Settings > Customizations > Developer Resources.
For a Microsoft Dynamics CRM Online deployment, specify the complete hostname part of the Web service URL. For example, given a URL of https://myorg.crm.dynamics.com/main.aspx, the host name part is myorg.crm.dynamics.com.
In the Then section, for the output claim type, click Select type and then select the http://docs.oasis-open.org/wsfed/authorization/200706/claims/action item from the drop-down list.
For the output claim value, select Enter value, and enter a value of Send for the output claim.
Add a description of the rule (optional). For example, you could type: “Allow the Contoso organization to send to the Microsoft Azure Service Bus.”
Configure the scope
The following steps describe how to configure the Microsoft Azure Service Bus scope of ACS for a normal mode post by Microsoft Dynamics CRM. Defining a scope provides more restricted access to the service namespace.
Below Trust relationships, select Relying party applications, and then click Add.
On the Add Relying Party Application page, enter a display name for the relying party. For example, enter internal. This name is the scope name.
Enter the realm URI of your Microsoft Azure service endpoint and append the scope name, for example, https://crmsdkdemo.servicebus.windows.net/internal.
Enter the return URL, which can be the same value as the realm URI you just entered.
Select a token format of SAML 2.0.
You may optionally increase the token lifetime value.
Make sure the Windows Live ID identity provider is selected.
Select the name of the rule group you created previously. If the check box next to your rule appears ghosted, first clear the check box that is currently checked, and then select the check box for your rule.
|If you’re using federated mode, the process is similar to what is described in this walkthrough. You would add an issuer, and create a scope specific to the Uri (recommended) or a new base scope. You will need to configure both –sb and non–sb scopes. You may also need to create a token policy for the creating the issuer.|
Microsoft Dynamics CRM 2015 and Microsoft Dynamics CRM Online
Send comments about this topic to Microsoft.
© 2015 Microsoft. All rights reserved.