how to configure user in ADFS to be able to access CRM - dynamics-crm

I am trying to follow this post to let my web application authenticate with ADFS before calling CRM.
Apache CXF client for claims-mode xRM (Microsoft Dynamics CRM 2011)?
I am not sure what kind of user I should create in ADFS in order to access CRM. What is the proper permission or user roles?
Also UserNameWSTrustBinding_IWSTrust13Async policy uses this endpoint https://yourcompany.com/adfs/services/trust/13/UsernameMixed
Do I need to disable this endpoint to make my app work? It was mentioned here the endpoint needs to be disabled.
https://community.dynamics.com/crm/f/microsoft-dynamics-crm-forum/144495/the-authentication-endpoint-username-was-not-found-on-the-configured-secure-token-service

Related

I want to integrate Dynamics CRM with Postman without AAD registration

I want to integrate Dynamics CRM with Postman with the help of username and password and without Azure AD registration.
It is purely dependent on your environment. If it is CRM online or IFD then OAuth is the only choice. The documentation says “must”. Read more
When you use the Web API for Customer Engagement or an on-premises Internet-facing deployment (IFD) you must use OAuth as described in Use OAuth with Dataverse.
If it is on-premise then you have to use username/password. Read more
When you use the Web API for on-premises deployments you must include the user’s network credentials.
In case if you are having difficulty with AAD App registration - then you can use the example readymade client Id in documentation for development purpose. Read more

Can we use both ADFS and Azure AD token in the same Spring boot project?

I am working in a project where we are authenticating any REST API requests from UI or anywhere else using ADFS STS tokens. There are some direct calls from UI with ADFS STS token in header for authentication/authorization and there are some external 3rd party calls not from UI, but also using ADFS STS tokens in header. Now we are planning to migrate partially to Azure AD token, post which there may still be some applications that will keep using ADFS STS tokens, so there can be situation where an external application that is unaware of migration to Azure may still call an internal application using ADFS STS Token and we are supposed to be compatible with it. Similarly there can be a situation that an internal application that is migrated to Azure AD token is internally calling one of the legacy applications which is still not migrated to Azure AD and won't in future too.
I have two challenges now:
How to support the above design so that even if an Azure token is used the API is still able to call an external service (working on ADFS) by creating an ADFS token from within the code and setting it in headers ?
Header in a HTTP request seems to be an unmodifiable data and when i tried to modify it within a requesttemplate in an request interceptor code, it failed saying unmodifiable map.
How do I handle this ? Please someone help.
Unfortunately I cannot share code due to internal restrictions.
Please check if below references provide some idea in your case.
According to Mix ADFS and Azure AD for authentication - Microsoft Q&A.
If you have O365 federated with ADFS and you federate an application
with Azure AD, the authentication flow would be:
User accesses the application which is federated to Azure AD.
Application will redirect to Azure AD authentication endpoint (https://login.microsoftonline.com) for authentication.
User will be prompted for credentials.
Based on the UPN suffix (If the domain is federated with ADFS), user will be redirected to ADFS.
ADFS will authenticate the user and issue a WS-Fed token to Azure AD.
Azure AD will receive the token and issue a SAML token to the application.
User will finally get access to application.
References:
Configure AD FS 2016 and Azure MFA | Microsoft Docs
Azure AD Connect - Manage AD FS trust with Azure AD using Azure AD
Connect | Microsoft Docs
federating ADFS with Azure Active Directory (techdirectarchive.com) & reference- Solution Zone

CDSWebApiService not working with MFA enabled

I am trying to connect to PowerApps WebApi using CDSWebApiService provided by microsoft.
https://learn.microsoft.com/en-us/powerapps/developer/data-platform/webapi/samples/cdswebapiservice
I have used the sample code that Microsoft provided to connect to Web API of Power Automate and that works fine for the normal users.
But when we turn on the MFA for the user that its giving authentication errors to call API.
Basically I am trying to call WorkFlows API.(https://learn.microsoft.com/en-us/power-automate/web-api)
Or is there any other way to call Power Automate Web API? Using CRM Service client or something else?
you should use Application user to make API calls, especially when your company has MFA enabled.
With Application user you can have clientID and secret and that can be used.
Also I think application user does not use MFA.

Access Dynamics CRM Web API from third party app on another domain

I have the below problem I try to solve:
There is an MVC web application (AppA) in domain DomA that is configured to use a CUSTOM STS for authentication/authorization.
On the other hand we have a CRM installation in another domain, the MyCRM domain, that is configured to use ADFS (ADFS is in the same domain as the CRM).
What we want to achieve is the AppA to be able to POST data to the Dynamics CRM Web API but we don’t want the users of AppA to re-enter credentials or have any other kind of interaction regarding authentication/authorization with ADFS.
The AppA should be able to POST data from both Javascript (client side) and the backend (MVC controller)
How could we achieve the above?
What kind of Trust should we establish between the Custom STS of DomA domain and the ADFS of MyCRM domain?
You don't need federated identity for back-end (server-to-server) connections. You might want to use Impersonation which permits you to setup a user account that can act on behalf of another user in the system.

CRM 2016:Using Web API for CRM IFD to connect CRM Web Service

I'm new to Web API and trying to build a CRM Web Service application with C# by using Web API. Here is the sample code I'm using: C# application which authenticates against Azure AD using ADAL and communicates with Dynamics CRM.
This code works perfectly for AD authentication on premise CRM environment. But my environment is IFD, which means I have to use OAuth. it says method calls to the web services must be authorized with the identity provider for that service endpoint. However all the example point to Microsoft Azure Active Directory. but for real case, do we have to register a CRM app with Azure Active Directory?
Then how can I define the 'Client ID', 'RedirectUrl', 'Authority' in my code, where is my endppoint? We're using ADFS authentication.
Can anyone share some sample codes for this?
Thanks.

Resources