Upravit

Sdílet prostřednictvím


Configure Lifecycle Services connectivity for Finance + Operations (on-premises) deployments

An on-premises local agent is used to orchestrate the deployment and servicing of Microsoft Dynamics 365 Finance + Operations (on-premises) through Microsoft Dynamics Lifecycle Services. To establish connectivity from Lifecycle Services to the Finance + Operations (on-premises) tenant, you must configure a certificate that enables the local agent to act on behalf of your Microsoft Entra tenant (for example, contoso.onmicrosoft.com).

Use either the on-premises agent certificate that you acquired from a certification authority (CA) or the self-signed certificate that you generated by using the infrastructure scripts. The on-premises agent certificate could previously be reused across multiple sandbox and production environments per tenant. However, we no longer recommend that approach for the new authentication process.

New authentication process (Bring-your-own Microsoft Entra service principal)

First-time setup

The user who runs the script must have privileges to create Microsoft Entra applications in their tenant. The script creates a new application and service principal in the tenant. It then registers a certificate. This certificate serves as the credential that is used for authentication.

To help reduce the impact of a security incident that is caused by a compromised certificate, we recommend that every environment has its own Microsoft Entra application, service principal, and certificate.

To create the Microsoft Entra application and service principal, and to register the certificate, follow these steps.

  1. Run the following command to create the Microsoft Entra application and service principal, and to register the certificate.

    # If you have issues downloading the Azure PowerShell Az module, run the following:
    # [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
    
    Install-Module Az -RequiredVersion 12.3.0
    .\Set-LCSEntraApplication.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -ApplicationDisplayName 'Display name of the application'
    

Note

If multiple tenants are associated with the sign-in account, you can run the following command to pass the tenant ID as a parameter. In this way, you ensure that the context is set to the correct tenant.

.\Set-LCSEntraApplication.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -ApplicationDisplayName 'Display name of the application' -TenantId 'xxxx-xxxx-xxxx-xxxx'

Certificate renewal

Eventually, your certificate will expire. You must then renew the certificate and update the service principal with the new certificate.

To renew the certificate and update the service principal with the new certificate, follow these steps.

  1. Renew the certificate by using the same process that you used to create the original certificate.

  2. Run the following command to update the service principal with the new certificate.

    .\Set-LCSEntraApplication.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -RotateCertificate
    

Validating that the certificate is correctly registered

To validate that the certificate is correctly registered, run the following command.

.\Set-LCSEntraApplication.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -Test

Deprecated authentication process (ERP service principal)

Note

The following steps are for the deprecated authentication process. This process is supported only for a limited time and will be retired soon. If you're using the new authentication process, follow the steps in the New authentication process (Bring-your-own Microsoft Entra service principal) section earlier in this article.

Only user accounts that have the Global Administrator directory role can add certificates to the ERP service principal. By default, the person who signs up for Microsoft 365 for your organization is the global administrator for the directory. If you aren't the global administrator, you must work with the global administrator to complete the following steps.

Important

  • You must configure the certificate exactly one time per tenant. All on-premises environments under the same tenant must use the same certificate to connect with Lifecycle Services.
  • If you run the following script on a server machine (for example, a machine that is running Windows Server 2019), you must temporarily turn off Internet Explorer Enhanced Security Configuration. Otherwise, the content on the Azure sign-in page is blocked.
  1. Sign in to the Azure portal to verify that you have the Global Administrator directory role.

  2. From the infrastructure folder, run the following commands to determine whether the certificate is already registered.

    # If you have issues downloading the Azure PowerShell Az module, run the following:
    # [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
    
    Install-Module Az -RequiredVersion 7.4.0
    .\Add-CertToServicePrincipal.ps1 -CertificateThumbprint 'OnPremLocalAgent Certificate Thumbprint' -Test
    

    Important

    If you previously installed AzureRM, you should remove it, because it might not be compatible with any existing AzureRM installations in Windows PowerShell 5.1. Learn more in Migrate Azure PowerShell from AzureRM to Az.

  3. If the script indicates that the certificate isn't registered, run the following command.

    .\Add-CertToServicePrincipal.ps1 -CertificateThumbprint 'OnPremLocalAgent Certificate Thumbprint'
    

Note

If multiple tenants are associated with the sign-in account, you can run the following command to pass the tenant ID as a parameter. In this way, you ensure that the context is set to the correct tenant.

.\Add-CertToServicePrincipal.ps1 -CertificateThumbprint 'OnPremLocalAgent Certificate Thumbprint' -TenantId 'xxxx-xxxx-xxxx-xxxx'