Post-installation and configuration guidelines for Microsoft Dynamics 365

This section describes several of the tasks that the Dynamics 365 Customer Engagement (on-premises) administrator should consider after the Dynamics 365 Server application is installed. This section isn’t meant to be an exhaustive resource used to configure deployments. Instead, use this section as a guideline to determine what best practices to implement and features to configure, based on your organization's needs.

Copy your organization encryption key

All new and upgraded organizations use data encryption that uses an encryption key to secure data such as user passwords for email mailboxes and Yammer accounts. This encryption key may be required to use Dynamics 365 Customer Engagement (on-premises) after a redeployment or failure recovery. We strongly recommend that you make a copy of the encryption key and save it to a secure location. More information:Copy your organization data encryption key

Make Dynamics 365 client-to-server network communications more secure

With any network design, it is important to consider the security of your organization's client-to-server communications. When making necessary decisions that can help protect data, we recommend that you understand the following information about Dynamics 365 Customer Engagement (on-premises) network communication and about the technology options that are available that provide more secure data transmissions.

If you installed Dynamics 365 Customer Engagement (on-premises) or upgraded a Dynamics 365 Server that isn’t already configured for HTTPS, Dynamics 365 Customer Engagement (on-premises) client-to-server communications are not encrypted. When using a website that supports only HTTP, information from Customer Engagement clients is transmitted in clear text and, therefore, possibly vulnerable to malicious intent, such as "man-in-the-middle" type attacks that could compromise content by adding scripts to perform harmful actions.

Configuring Dynamics 365 for HTTPS

Configuring a site for HTTPS will cause a disruption in the Dynamics 365 Customer Engagement (on-premises) application so plan the configuration when there will be minimal disruption to users. The high-level steps for configuring Dynamics 365 Customer Engagement (on-premises) for HTTPS are as follows:

  1. In Dynamics 365 Deployment Manager, disable the server where the Web Application Server, Organization Web Service, Discovery Web Service, and Deployment Web Service roles are running. If this is a Full Server deployment, all server roles are running on the same computer. For information about how to disable a server, see Dynamics 365 Customer Engagement (on-premises)Deployment Manager Help.

  2. Configure the website where the Web Application Server role is installed to use HTTPS. For more information about how to do this, see Internet Information Services (IIS) Help.

  3. Set the binding in Deployment Manager. This is done on the Web Address tab of the Properties page for the deployment. For more information about how change the bindings see Microsoft Dynamics 365 deployment properties.

  4. If you want to make other Customer Engagement services more secure and Dynamics 365 Customer Engagement (on-premises) is installed by using separate server roles, repeat the previous steps for the additional server roles.

Configure a Dynamics 365 Internet-facing deployment

After all Dynamics 365 Server roles are installed, you can configure the deployment so that remote users can connect to the application through the Internet. To do this, start Rule Deployment Manager and complete the Configure Claims-Based Authentication Wizard followed by the Internet-Facing Deployment Configuration Wizard. Alternatively, you can complete these tasks using Windows PowerShell. More information: Overview of Dynamics 365 Customer Engagement (on-premises) PowerShell

Important

For Dynamics 365 for tablets to successfully connect to a new deployment of Dynamics 365 Server, you must run a Repair of the Dynamics 365 Server application on the server running IIS where the Web Application Server role is installed after the Internet-Facing Deployment Configuration Wizard is successfully completed.

Add or remove sample data

Sample data is available to help you become familiar with how Dynamics 365 Customer Engagement (on-premises) works. By using sample data, work with records and see how they relate to each other, how data displays in charts, and see what information is in reports.

Sample data can be added or removed from within the Customer Engagement application. More information:Add or remove sample data

Complete the configuration tasks for new organizations

After you've completed installing Dynamics 365 Customer Engagement (on-premises), but before the business users in your organization start using it, there are some basic tasks that you, as the Customer Engagement administrator, should complete. These tasks include defining business units and security roles, adding users, and importing data.

More information: Set up a Dynamics 365 organization

Import apps and solutions

Sales and Field Service apps are available to you. More information: Available apps for Dynamics 365 Customer Engagement (on-premises)

Use solutions to extend functionality and the user interface. Customizers and developers distribute their work as solutions. Organizations use Dynamics 365 Customer Engagement (on-premises) to import the solution. Find a solution in the Microsoft AppSource.

Important

Importing a solution or publishing customizations can interfere with normal system operation. We recommend that you schedule solution imports when it’s least disruptive to users.

For more information about how to import a solution, see Import, update, and export a solution.

Configure Windows Server for Dynamics 365 Customer Engagement (on-premises) applications that use OAuth

The following information describes how to configure Windows Server with AD FS to support Customer Engagement applications such as Dynamics 365 for phones, Dynamics 365 for tablets, Dynamics 365 for Outlook, Microsoft Social Engagement, or other Dynamics 365 for Customer Engagement applications that need OAuth support.

Enable forms authentication

By default, forms authentication is disabled in the intranet zone. You must enable forms authentication by following these steps:

  1. Log on to the AD FS server as an administrator.

  2. Open the ADFS management wizard.

  3. Select Authentication Policies > Primary Authentication > Global Settings > Authentication Methods > Edit.

  4. Select (check) Form Based Authentication on the Intranet tab.

Configure the OAuth provider

Follow these steps to configure the OAuth provider in Dynamics 365 Customer Engagement (on-premises):

  1. Log on to the Dynamics 365 Customer Engagement (on-premises) server as an administrator.

  2. Add the Customer EngagementWindows PowerShell snap-in (Microsoft.Crm.PowerShell.dll). More information: Administer the deployment using Windows PowerShell

    Add-PSSnapin Microsoft.Crm.PowerShell  
    
  3. Enter the following Windows PowerShell commands.

    
    $ClaimsSettings = Get-CrmSetting -SettingType OAuthClaimsSettings  
    $ClaimsSettings.Enabled = $true  
    Set-CrmSetting -Setting $ClaimsSettings  
    
    

Register the client apps

The client apps must be registered with AD FS.

  1. Log on to the AD FS server as administrator.

  2. In a PowerShell window, execute the following commands to register each application that is applicable to your deployment.

    Dynamics 365 (online), version 8.2 mobile apps for Apple iPhone, Android, and Windows.

    Add-AdfsClient -ClientId ce9f9f18-dd0c-473e-b9b2-47812435e20d -Name "Microsoft Dynamics CRM for tablets and phones" -RedirectUri ms-app://s-1-15-2-2572088110-3042588940-2540752943-3284303419-1153817965-2476348055-1136196650/, ms-app://s-1-15-2-1485522525-4007745683-1678507804-3543888355-3439506781-4236676907-2823480090/, ms-app://s-1-15-2-3781685839-595683736-4186486933-3776895550-3781372410-1732083807-672102751/, ms-app://s-1-15-2-3389625500-1882683294-3356428533-41441597-3367762655-213450099-2845559172/, ms-auth-dynamicsxrm://com.microsoft.dynamics,ms-auth-dynamicsxrm://com.microsoft.dynamics.iphone.moca,ms-auth-dynamicsxrm://com.microsoft.dynamics.ipad.good,msauth://code/ms-auth-dynamicsxrm%3A%2F%2Fcom.microsoft.dynamics,msauth://code/ms-auth-dynamicsxrm%3A%2F%2Fcom.microsoft.dynamics.iphone.moca,msauth://code/ms-auth-dynamicsxrm%3A%2F%2Fcom.microsoft.dynamics.ipad.good,msauth://com.microsoft.crm.crmtablet/v%2BXU%2FN%2FCMC1uRVXXA5ol43%2BT75s%3D,msauth://com.microsoft.crm.crmphone/v%2BXU%2FN%2FCMC1uRVXXA5ol43%2BT75s%3D, urn:ietf:wg:oauth:2.0:oob  
    

    Dynamics 365 for Outlook.

    Add-AdfsClient -ClientId  2f29638c-34d4-4cf2-a16a-7caf612cee15  -Name "Dynamics CRM Outlook Client" -RedirectUri app://6BC88131-F2F5-4C86-90E1-3B710C5E308C/  
    

    Unified Service Desk client.

    Add-AdfsClient -ClientId  4906f920-9f94-4f14-98aa-8456dd5f78a8  -Name "Dynamics 365 Unified Service Desk" -RedirectUri app://41889de4-3fe1-41ab-bcff-d6f0a6900264/  
    

    Dynamics 365 Customer Engagement (on-premises) developer tools.

    Add-AdfsClient -ClientId  2ad88395-b77d-4561-9441-d0e40824f9bc  -Name "Dynamics 365 Development Tools" -RedirectUri app://5d3e90d6-aa8e-48a8-8f2c-58b45cc67315/  
    
  3. To register the Dynamics 365 App for Outlook, in Customer Engagement (on-premises), go to Settings > Dynamics 365 App for Outlook and register the app there.

Additional steps for clients unable to connect to the Dynamics 365 Server via IFD

If clients experience issues connecting through the IFD after you have registered them, follow each step here to resolve the issue.

Remove site authentication providers

  1. On the Dynamics 365 Server where the web application server role is running, open Internet Information Services (IIS) Manager.

  2. In the left pane, under the organization name, expand Sites, and then select Microsoft Dynamics CRM.

  3. Double-click Authentication in the middle pane.

  4. Right-click Windows Authentication, and select Providers. For each provider in the list, select the provider, select Remove, and then select OK.

  5. After all providers are removed, right-click Windows Authentication, and then select Disable.

    Remove site provider.

Repeat the previous steps to remove all Windows Authentication providers from the nga and AppWebServices site folders.

Add the AD FS address to the client local intranet zone to avoid client authentication prompts

  1. On the client computer, select Start, enter inetcpl.cpl, and select Enter to open Internet Properties.
  2. Select the Security tab, select the Local intranet zone, select Sites, and then select Advanced.
  3. Enter in the AD FS address, select Add, select Close, select OK, and then select OK again.

Grant application permission when using Windows Server 2016 AD FS

On the AD FS server, run the following command in a Windows PowerShell console. This is required if you use Windows Server 2016 AD FS.

Grant-AdfsApplicationPermission -ClientRoleIdentifier "<client_id/org_id>" -ServerRoleIdentifier "<org_auth_url>"

Important

Make sure org_auth_url is complete and accurate URL. Also, you must include the trailing forward slash /.
For example:

Grant-AdfsApplicationPermission -ClientRoleIdentifier "806e5da7-0600-e611-80bf-6c3be5b27d7a" -ServerRoleIdentifier https://auth.contoso.com:444/ 

To display the authentication URL, run this PowerShell command:

 Get-ADFSRelyingPartyTrust 

Restart AD FS

On the AD FS server, run the following PowerShell commands to force AD FS to restart.

net stop adfssrv 
net start adfssrv

Enable Device Registration Service (DRS) on the federation server

To make sure that devices can connect to your deployment, follow the instructions in this topic: Configure a federation server with Device Registration Service.

Configure databases for SQL Server AlwaysOn

Although the article referenced below applies to an earlier version of Dynamics 365 Customer Engagement (on-premises), you can use similar steps to configure the Dynamics 365 Customer Engagement (on-premises), version 9 organization and configuration databases for SQL Server AlwaysOn.

Important

The final tasks under step 4 in the below article link that describe how to Create the MSCRMSqlClrLogin SQL Login under Create the SQL logins for the Microsoft Dynamics 365 security groups on all secondary replicas are not applicable to this version and should be ignored when configuring Dynamics 365 Customer Engagement (on-premises), version 9 databases to use SQL Server AlwaysOn.
MSCRMSqlClrLogin SQL login, the asymmetric key for it, and Microsoft.Crm.SqlClr.Helper.dll aren’t required with Dynamics 365 Customer Engagement (on-premises), version 9.

More information: Set configuration and organization databases for SQL Server AlwaysOn failover

User training and adoption

More information: Training and Adoption Kit for Microsoft Dynamics 365

See also

Installing on-premises Dynamics 365
Operating Microsoft Dynamics 365