Post-installation and configuration guidelines for Microsoft Dynamics 365
This section describes several of the tasks that the Dynamics 365 for Customer Engagement administrator should consider after the Dynamics 365 Server application is installed. This section isn’t meant to be an exhaustive resource used to configure deployments. Instead, use this section as a guideline to determine what best practices to implement and features to configure, based on your organization's needs.
Copy your organization encryption key
All new and upgraded organizations use data encryption that uses an encryption key to secure data such as user passwords for email mailboxes and Yammer accounts. This encryption key may be required to use Dynamics 365 for Customer Engagement after a redeployment or failure recovery. We strongly recommend that you make a copy of the encryption key and save it to a secure location. More information:Copy your organization data encryption key
Make Dynamics 365 client-to-server network communications more secure
With any network design, it is important to consider the security of your organization's client-to-server communications. When making necessary decisions that can help protect data, we recommend that you understand the following information about Dynamics 365 for Customer Engagement network communication and about the technology options that are available that provide more secure data transmissions.
If you installed Dynamics 365 for Customer Engagement or upgraded a Dynamics 365 Server that isn’t already configured for HTTPS, Dynamics 365 for Customer Engagement client-to-server communications are not encrypted. When using a website that supports only HTTP, information from Customer Engagement clients is transmitted in clear text and, therefore, possibly vulnerable to malicious intent, such as "man-in-the-middle" type attacks that could compromise content by adding scripts to perform harmful actions.
Configuring Dynamics 365 for HTTPS
Configuring a site for HTTPS will cause a disruption in the Dynamics 365 for Customer Engagement application so plan the configuration when there will be minimal disruption to users. The high-level steps for configuring Dynamics 365 for Customer Engagement for HTTPS are as follows:
In Dynamics 365 Deployment Manager, disable the server where the Web Application Server, Organization Web Service, Discovery Web Service, and Deployment Web Service roles are running. If this is a Full Server deployment, all server roles are running on the same computer. For information about how to disable a server, see Dynamics 365 for Customer EngagementDeployment Manager Help.
Configure the website where the Web Application Server role is installed to use HTTPS. For more information about how to do this, see Internet Information Services (IIS) Help.
Set the binding in Deployment Manager. This is done on the Web Address tab of the Properties page for the deployment. For more information about how change the bindings see Microsoft Dynamics 365 deployment properties.
If you want to make other Customer Engagement services more secure and Dynamics 365 for Customer Engagement is installed by using separate server roles, repeat the previous steps for the additional server roles.
Configure a Dynamics 365 Internet-facing deployment
After all Dynamics 365 Server roles are installed, you can configure the deployment so that remote users can connect to the application through the Internet. To do this, start Rule Deployment Manager and complete the Configure Claims-Based Authentication Wizard followed by the Internet-Facing Deployment Configuration Wizard. Alternatively, you can complete these tasks using Windows PowerShell. More information: Overview of Dynamics 365 Customer Engagement (on-premises) PowerShell
For Dynamics 365 for tablets to successfully connect to a new deployment of Dynamics 365 Server, you must run a Repair of the Dynamics 365 Server application on the server running IIS where the Web Application Server role is installed after the Internet-Facing Deployment Configuration Wizard is successfully completed.
Add or remove sample data
Sample data is available to help you become familiar with how Dynamics 365 for Customer Engagement works. By using sample data, work with records and see how they relate to each other, how data displays in charts, and see what information is in reports.
Sample data can be added or removed from within the Customer Engagement application. More information:Add or remove sample data
Complete the configuration tasks for new organizations
After you've completed installing Dynamics 365 for Customer Engagement, but before the business users in your organization start using it, there are some basic tasks that you, as the Customer Engagement administrator, should complete. These tasks include defining business units and security roles, adding users, and importing data.
More information: Set up a Dynamics 365 organization
Import apps and solutions
Sales and Field Service apps are available to you. More information: Available apps for Dynamics 365 Customer Engagement (on-premises)
Use solutions to extend functionality and the user interface. Customizers and developers distribute their work as solutions. Organizations use Dynamics 365 for Customer Engagement to import the solution. Find a solution in the Microsoft AppSource.
Importing a solution or publishing customizations can interfere with normal system operation. We recommend that you schedule solution imports when it’s least disruptive to users.
For more information about how to import a solution, see Import, update, and export a solution.
Configure Windows Server for Dynamics 365 Customer Engagement (on-premises) applications that use OAuth
The following information describes how to configure Windows Server with AD FS to support Customer Engagement applications such as Dynamics 365 for phones, Dynamics 365 for tablets, Dynamics 365 for Outlook, Microsoft Social Engagement, or other Dynamics 365 for Customer Engagement applications that need OAuth support.
Enable forms authentication
By default, forms authentication is disabled in the intranet zone. You must enable forms authentication by following these steps:
Log on to the AD FS server as an administrator.
Open the ADFS management wizard.
Select Authentication Policies > Primary Authentication > Global Settings > Authentication Methods > Edit.
Select (check) Form Based Authentication on the Intranet tab.
Configure the OAuth provider
Follow these steps to configure the OAuth provider in Dynamics 365 for Customer Engagement:
Log on to the Dynamics 365 for Customer Engagement server as an administrator.
Add the Customer EngagementWindows PowerShell snap-in (Microsoft.Crm.PowerShell.dll). More information: Administer the deployment using Windows PowerShell
Enter the following Windows PowerShell commands.
$ClaimsSettings = Get-CrmSetting -SettingType OAuthClaimsSettings $ClaimsSettings.Enabled = $true Set-CrmSetting -Setting $ClaimsSettings
Register the client apps
The client apps must be registered with AD FS.
Log on to the AD FS server as administrator.
In a PowerShell window, execute the following commands to register each application that is applicable to your deployment.
Dynamics 365 (online), version 8.2 mobile apps for Apple iPhone, Android, and Windows.
Add-AdfsClient -ClientId ce9f9f18-dd0c-473e-b9b2-47812435e20d -Name "Microsoft Dynamics CRM for tablets and phones" -RedirectUri ms-app://s-1-15-2-2572088110-3042588940-2540752943-3284303419-1153817965-2476348055-1136196650/, ms-app://s-1-15-2-1485522525-4007745683-1678507804-3543888355-3439506781-4236676907-2823480090/, ms-app://s-1-15-2-3781685839-595683736-4186486933-3776895550-3781372410-1732083807-672102751/, ms-app://s-1-15-2-3389625500-1882683294-3356428533-41441597-3367762655-213450099-2845559172/, ms-auth-dynamicsxrm://com.microsoft.dynamics,ms-auth-dynamicsxrm://com.microsoft.dynamics.iphone.moca,ms-auth-dynamicsxrm://com.microsoft.dynamics.ipad.good,msauth://code/ms-auth-dynamicsxrm%3A%2F%2Fcom.microsoft.dynamics,msauth://code/ms-auth-dynamicsxrm%3A%2F%2Fcom.microsoft.dynamics.iphone.moca,msauth://code/ms-auth-dynamicsxrm%3A%2F%2Fcom.microsoft.dynamics.ipad.good,msauth://com.microsoft.crm.crmtablet/v%2BXU%2FN%2FCMC1uRVXXA5ol43%2BT75s%3D,msauth://com.microsoft.crm.crmphone/v%2BXU%2FN%2FCMC1uRVXXA5ol43%2BT75s%3D, urn:ietf:wg:oauth:2.0:oob
Dynamics 365 for Outlook.
Add-AdfsClient -ClientId 2f29638c-34d4-4cf2-a16a-7caf612cee15 -Name "Dynamics CRM Outlook Client" -RedirectUri app://6BC88131-F2F5-4C86-90E1-3B710C5E308C/
Unified Service Desk client.
Add-AdfsClient -ClientId 4906f920-9f94-4f14-98aa-8456dd5f78a8 -Name "Dynamics 365 Unified Service Desk" -RedirectUri app://41889de4-3fe1-41ab-bcff-d6f0a6900264/
Dynamics 365 for Customer Engagement developer tools.
Add-AdfsClient -ClientId 2ad88395-b77d-4561-9441-d0e40824f9bc -Name "Dynamics 365 Development Tools" -RedirectUri app://5d3e90d6-aa8e-48a8-8f2c-58b45cc67315/
To register the Dynamics 365 App for Outlook, in Customer Engagement (on-premises), go to Settings > Dynamics 365 App for Outlook and register the app there.
Additional steps for clients unable to connect to the Dynamics 365 Server via IFD
If clients experience issues connecting through the IFD after you have registered them, follow each step here to resolve the issue.
Remove site authentication providers
On the Dynamics 365 Server where the web application server role is running, open Internet Information Services (IIS) Manager.
In the left pane, under the organization name, expand Sites, and then select Microsoft Dynamics CRM.
Double-click Authentication in the middle pane.
Right-click Windows Authentication, and select Providers. For each provider in the list, select the provider, select Remove, and then select OK.
After all providers are removed, right-click Windows Authentication, and then select Disable.
Repeat the previous steps to remove all Windows Authentication providers from the nga and AppWebServices site folders.
Add the AD FS address to the client local intranet zone to avoid client authentication prompts
- On the client computer, select Start, enter inetcpl.cpl, and select Enter to open Internet Properties.
- Select the Security tab, select the Local intranet zone, select Sites, and then select Advanced.
- Enter in the AD FS address, select Add, select Close, select OK, and then select OK again.
Grant application permission when using Windows Server 2016 AD FS
On the AD FS server, run the following command in a Windows PowerShell console. This is required if you use Windows Server 2016 AD FS.
Grant-AdfsApplicationPermission -ClientRoleIdentifier "<client_id/org_id>" -ServerRoleIdentifier "<org_auth_url>"
Make sure org_auth_url is complete and accurate URL. Also, you must include the trailing forward slash /.
Grant-AdfsApplicationPermission -ClientRoleIdentifier "806e5da7-0600-e611-80bf-6c3be5b27d7a" -ServerRoleIdentifier https://auth.contoso.com:444/
To display the authentication URL, run this PowerShell command:
Restart AD FS
On the AD FS server, run the following PowerShell commands to force AD FS to restart.
net stop adfssrv net start adfssrv
Enable Device Registration Service (DRS) on the federation server
To make sure that devices can connect to your deployment, follow the instructions in this topic: Configure a federation server with Device Registration Service.
User training and adoption
More information: Training and Adoption Kit for Microsoft Dynamics 365
Submit and view feedback for