Walkthrough: Configure Microsoft Azure (ACS alternate method)

  • Article

 

Applies To: Dynamics 365 (online), Dynamics 365 (on-premises), Dynamics CRM 2016, Dynamics CRM Online

Important

This procedure is deprecated. You should use the procedure described in Walkthrough: Configure Microsoft Azure (SAS) for integration with Dynamics 365 using SAS rather than ACS. More information:  Azure Documentation: Service Bus authentication and authorization

This walkthrough guides you through configuring the Microsoft Azure Active Directory Access Control Service (ACS) issuer, scope, and rules to allow a listener application to read the Microsoft Dynamics 365 messages posted to the Microsoft Azure Service Bus. This walkthrough applies to integration with any deployment type of Microsoft Dynamics 365.

Note

The Plug-in Registration Tool provided in the SDK download is the recommended way to automate the configuration of ACS for basic scenarios. For instructions on using the tool to configure ACS see Walkthrough: Configure Microsoft Azure (ACS) for integration with Dynamics 365.

Follow the instructions in this topic for more advanced scenarios using the Azure Management Portal.

As a prerequisite to this walkthrough, if you’re running Microsoft Dynamics 365 (on-premises or IFD), configure Microsoft Dynamics 365 for Microsoft Azure integration. For more information, see Walkthrough: Configure Dynamics 365 for integration with Microsoft Azure. Microsoft Dynamics 365 (online) is pre-configured for Microsoft Azure integration.

In This Topic

Create a new service namespace

Create a service identity (issuer)

Create a rule group and a rule

Configure the scope

Create a new service namespace

If you have an existing ACS service namespace that you want to use, continue with the next section named Create a service identity (issuer).

Warning

Do not use the Microsoft Azure portal to create a service namespace for use with Dynamics 365. The portal will create a SAS namespace but Dynamics 365 requires an ACS namespace.

Use PowerShell commands to create a new service namespace

  1. Download and install the Microsoft AzurePowerShell module. More information: How to install and configure Azure PowerShell

  2. From the Start menu, open the Microsoft AzurePowerShell program and enter the following commands.

    > Add-AzureAccount
> New-AzureSBNamespace –Name YOUR_NAMESPACE -Location "YOUR_LOCATION" -CreateACSNamespace $true

    Note

    Version 0.8.9 or later of AzurePowerShell supports the –CreateACSNamespace parameter in the New-AzureSBNamespace command. If your installed version of AzurePowerShell doesn’t support the –CreateACSNamespace parameter, install the latest version. To see the version of AzurePowerShell that you’re using, enter the command Get-Module Azure.

    Newer versions of the command may support a –NamespaceType parameter. If so, use –NamespaceType Messaging.

    After you enter Add-AzureAccount, you’ll be prompted to provide the sign-in credentials for your Azure subscription. Substitute an appropriate namespace name for YOUR_NAMESPACE and an approximate location for YOUR_LOCATION. The supported locations are: Central US, East US, East US 2, North Central US, South Central US, West US, North Europe, West Europe, East Asia, Southeast Asia, Brazil South, Japan East, and Japan West.

After you enter these commands, the namespace is created and you should see output that looks similar to the following text.

Name                  : mynamespace
Region                : Central US
DefaultKey            : 1eKDTIYEACFP7Geiy5QV/hqJnWHeroJyKk/PBzv42Rw=
Status                : Active
CreatedAt             : 8/25/2014 3:36:47 PM
AcsManagementEndpoint : https://mynamespace-sb.accesscontrol.windows.net/
ServiceBusEndpoint    : https://mynamespace.servicebus.windows.net/
ConnectionString      : Endpoint=sb://mynamespace.servicebus.windows.net/;SharedSecretIssuer=owner;SharedSecretValue=1
                        eKDTIYEACFP7Geiy5QV/hqJnWHeroJyKk/PBzv42Rw=

Create a service identity (issuer)

  1. If you haven’t already done so, go to the Microsoft Azure Management Portal and sign in.

  2. In the management portal, click Service Bus and then select your existing namespace in the list.

  3. Click Connection Information.

  4. At the bottom of the form, click Open ACS Management Portal.

  5. Under Service Settings, select Service identities, and then click Add.

  6. On the Add Service Identity page, enter a name for the issuer identity. This must be the same issuer name that Microsoft Dynamics 365 is configured with. You can find this issuer name in the Dynamics 365 web application by choosing Settings > Customizations > Developer Resources.

  7. Select a credential type of X.509 Certificate.

  8. Browse to the location of the certificate on your local computer. Obtain the certificate by clicking the Download Certificate link on the Developer Resources page of the Dynamics 365 web application.

  9. Click Save.

If you’re working with Microsoft Dynamics 365 (online) and see an indication that the certificate you obtained from that server is expired, you can ignore that warning.

Create a rule group and a rule

Create a rule for the target scope that will allow Microsoft Dynamics 365 to send or “post” to the Microsoft Azure Service Bus. You do this by configuring ACS to map the input “Organization” claim from Microsoft Dynamics 365 to the output “Send” claim of the Microsoft Azure Service Bus.

First, create a rule group by following these steps.

  1. Below Trust relationships, select Rule groups.

  2. Click Add.

  3. Enter a name for the rule group and select Save.

Next, add a claim rule to the rule group.

  1. On the Edit Rule Group page, click Add.

  2. In the If section of the page, select Access Control Service.

  3. For the input claim type, select Enter type and then enter https://schemas.microsoft.com/xrm/2011/Claims/Organization.

  4. For the input claim value, select Enter value, and then enter the name of a Microsoft Dynamics 365 organization.

    For an Internet-facing or on-premises deployment, enter the unique name of the desired organization in lowercase characters. You can find this name on the Developer Resources page of the Dynamics 365 web application next to the Organization Unique Name label. To navigate to that page in Dynamics 365, click Settings > Customizations > Developer Resources.

    For a Microsoft Dynamics 365 (online) deployment, specify the complete hostname part of the Web service URL. For example, given a URL of https://myorg.crm.dynamics.com/main.aspx, the host name part is myorg.crm.dynamics.com.

  5. In the Then section, for the output claim type, click Select type and then select the http://docs.oasis-open.org/wsfed/authorization/200706/claims/action item from the drop-down list.

  6. For the output claim value, select Enter value, and enter a value of Send for the output claim.

  7. Add a description of the rule (optional). For example, you could type: “Allow the Contoso organization to send to the Microsoft Azure Service Bus.”

  8. Click Save.

Configure the scope

The following steps describe how to configure the Microsoft Azure Service Bus scope of ACS for a normal mode post by Microsoft Dynamics 365. Defining a scope provides more restricted access to the service namespace.

  1. Below Trust relationships, select Relying party applications, and then click Add.

  2. On the Add Relying Party Application page, enter a display name for the relying party. For example, enter internal. This name is the scope name.

  3. Enter the realm URI of your Microsoft Azure service endpoint and append the scope name, for example, https://crmsdkdemo.servicebus.windows.net/internal.

  4. Enter the return URL, which can be the same value as the realm URI you just entered.

  5. Select a token format of SAML 2.0.

  6. You may optionally increase the token lifetime value.

  7. Make sure the Windows Live ID identity provider is selected.

  8. Select the name of the rule group you created previously. If the check box next to your rule appears ghosted, first clear the check box that is currently checked, and then select the check box for your rule.

  9. Click Save.

Important

If you’re using federated mode, the process is similar to what is described in this walkthrough. You would add an issuer, and create a scope specific to the Uri (recommended) or a new base scope. You will need to configure both –sb and non–sb scopes. You may also need to create a token policy for the creating the issuer.

See Also

Azure extensions for Microsoft Dynamics 365
Walkthrough: Configure Dynamics 365 for integration with Microsoft Azure
Configure Azure integration with Microsoft Dynamics 365
ACS Management Portal

Microsoft Dynamics 365

© 2016 Microsoft. All rights reserved. Copyright