Setting up Single Sign-On in Dynamics 365 lets you link users to an identity provider, like Azure Active Directory. It uses safe protocols such as SAML or WS-Federation. You get many benefits:

• Users can open many apps with one click. This saves time and helps them work better.

• Security gets better with things like multi-factor authentication and central controls.

• It is easier for your IT team to add or remove users.

• Helpdesk costs go down. Password reset requests can drop by half after you use Single Sign-On.

Key Takeaways

• First, check what you need for your system. Make sure you have the right Dynamics 365 version. Check if Active Directory is set up. Look at your certificates before you start SSO setup.

• Register Dynamics 365 as an app in your identity provider. Set up protocols like SAML or WS-Federation. This helps users sign in safely.

• Make sure user claims are mapped the right way. This lets Dynamics 365 know who the users are. Put users in groups to control access simply and safely.

• Test your Single Sign-On setup very well. This helps you find problems early. Use troubleshooting steps to fix common issues.

• Keep your system safe by using multi-factor authentication. Change secrets often. Watch activity and follow good security rules.

Single Sign-On Preparation

Prerequisites

You need to check some things before you start with Single Sign-On in Dynamics 365. Here is what you need:

• You must have Microsoft Dynamics CRM 2013 or a newer version. This includes the Dynamics 365 Sales App.

• Online users need a Full User subscription. On-premises users need a Professional CAL.

• You need a Microsoft Dynamics Admin account to set up the integration service.

• Use browsers like Firefox or Internet Explorer 10 or newer.

• The Dynamics 365 Server must use claims-based authentication and Internet-Facing Deployment.

• You need Active Directory Federation Services (AD FS) on Windows Server 2012 R2, 2016, or 2019.

• Make sure you have valid TLS/SSL certificates for your Dynamics 365 hostnames.

• The CRMAppPool account must read the encryption certificate’s private key.

• There must be network access between the Dynamics 365 Server and the AD FS federation server.

Tip: Ask your hosting provider to help with integration testing. This is important after updates.

Supported Protocols

Dynamics 365 works with different authentication protocols for Single Sign-On. Each one is good for different reasons:

Microsoft Entra ID is the main identity provider. You can also use Azure AD B2C, Okta, or social accounts like Google and Facebook if you set them up.

Tools and Information

You need some tools and details to set up Single Sign-On:

1. A Security Token Service (STS) like AD FS or PingFederate with HTTPS.

2. The unique entity ID for your STS.

3. The assertion consumer service URL for safe SAML token delivery.

4. An enterprise app in Microsoft Entra ID for your STS.

5. Admin roles in Microsoft Entra, like Cloud Application Administrator.

6. A test user in Microsoft Entra to check your setup.

7. Federation metadata from Microsoft Entra as a URL or XML file.

8. Certificates from Microsoft Entra to build trust.

9. Import the metadata and certificates into your STS.

10. Set up claims rules in your STS for your app.

Note: Teams may have trouble with ADFS setup and Kerberos. Plan extra time if your team is new to these.

Identity Provider Setup

Setting up your identity provider is very important. It helps connect Dynamics 365 with Single Sign-On. You need to register your app, pick the right protocol, and get the needed metadata. The steps may look different for each provider, but the main parts are the same.

Register Application

You have to register Dynamics 365 as an app in your identity provider, like Microsoft Entra ID. This lets your identity provider know and check users for Dynamics 365.

Here are the steps to register your app:

1. Log in to the Azure portal with an admin account.

2. Go to "Azure Active Directory" and pick "App registrations."

3. Click "+ New registration."

4. Type a special name for your app.

5. Pick "Accounts in this organizational directory only (Single tenant)" for most businesses.

6. Set the redirect URI. For Dynamics 365, use something like https://<your-dynamics365-domain>/commandcenter/processAzureAuthToken.do or https://businesscentral.dynamics.com/OAuthLanding.htm.

7. Click "Register."

8. Copy the Application (client) ID and Directory (tenant) ID. You will use these later.

9. Under "API permissions," add Microsoft Graph permissions (like Application.ReadWrite.All, Directory.Read.All) and Dynamics CRM (user_impersonation).

10. Give admin consent for these permissions.

11. Go to "Certificates & secrets" and make a new client secret. Save the secret value in a safe place.

12. In Dynamics 365, make an application user. Enter the Application ID and give roles like "System Administrator" or "System Customizer."

Tip: Change your client secrets every 90 days to keep things safe.

This process lets Dynamics 365 talk to your identity provider and use safe Single Sign-On.

Configure SAML or WS-Federation

After you register your app, set up the authentication protocol. Dynamics 365 works with SAML and WS-Federation. These steps help you set up these protocols in your identity provider, like AD FS.

• Open AD FS Management and add a new relying party trust.

• Enter the info by hand and give your relying party a name.

• Pick the AD FS 2.0 profile and turn on SAML 2.0 WebSSO protocol.

• Enter the Reply URL. It must use HTTPS and match your Dynamics 365 endpoint.

• Add the site URL as an identifier.

• Choose if you want to set up multi-factor authentication now or later.

• Let all users access the relying party.

• Add claim rules. For example, change the Windows account name to Name ID using a persistent identifier.

• You can use PowerShell scripts to do these steps automatically if you want.

For WS-Federation, you might need to:

• Turn on support for more than one federated domain.

• Set up MEX metadata by giving a URL or uploading a file from your identity provider.

• Set the Active Logon URL for active authentication traffic.

Note: The identity provider you pick can make this step easier or harder. Providers with strong identity and access management, like Microsoft Entra ID, make setup simple and lower security risks.

Collect Metadata

You need to get metadata from your identity provider to finish the Single Sign-On setup in Dynamics 365. This metadata has important things like the signing certificate and service endpoints.

To get metadata:

• Find the metadata URL from your identity provider. For AD FS, it is called the "Federation Metadata URL."

• Copy this URL. It usually looks like https://<adfs-server>/federationmetadata/2007-06/federationmetadata.xml.

• In Dynamics 365 Deployment Manager, go to the security token service configuration page.

• Paste the metadata URL in the right field.

Dynamics 365 will bring in the metadata, including certificates, from this URL. This step makes sure your identity provider and Dynamics 365 talk safely.

Tip: Always use the newest metadata URL. If you change certificates or endpoints in your identity provider, update the metadata in Dynamics 365 too.

Picking the right identity provider can make Single Sign-On setup much easier. Providers with strong role management and conditional access help keep your environment safe and easy to manage.

Authentication Settings

Enter Provider Details

You need to link Dynamics 365 with your identity provider. This lets users sign in with their current accounts. First, open authentication settings in Dynamics 365. You will see boxes to fill in with details from your identity provider.

Follow these steps:

1. Type a name for your identity provider. Users will see this name when they sign in.

2. Pick the type of identity provider from the list. Choose the one that matches your setup, like Azure AD or another SAML provider.

3. Enter the Client ID. You get this when you register your app with the identity provider.

4. Enter the Client Secret. This is a password-like code from your identity provider’s app registration.

5. Add user flow policies for sign-in and sign-up. These rules control how users log in and make accounts.

Tip: Always set up your app in the identity provider’s portal first. Follow the provider’s guide to get the right Client ID and Client Secret.

If you use Microsoft Entra B2C, set up the app in the Entra portal before adding details in Dynamics 365. This helps the connection work well and stops sign-in errors.

Claims and Attribute Mapping

Claims and attribute mapping help Dynamics 365 know who your users are. Claims are facts about the user, like their email or username. You must make sure the claims from your identity provider match what Dynamics 365 needs.

Here are some best ways to map claims and attributes:

1. Use the User Principal Name (UPN) as the main claim. The UPN in Dynamics 365 should match the email or similar detail in your identity provider.

2. If your identity provider does not give you a metadata file, make a custom one. Add endpoint URLs, entity IDs, certificates, and claim types that Dynamics 365 needs.

3. Set up mapping rules in your identity provider. These rules should pull user details, like email, and send them as claims with the right names. For example, use the namespace http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn for the UPN claim.

4. Use the WS-Federation protocol with SAML tokens. Dynamics 365 works with SAML 1.1 and 2.0 tokens to share user information.

5. Make sure your certificates and signatures are set up right. This helps stop errors like signature mismatches.

6. If you use Azure B2B or outside identity providers, set up claim transformation in the Azure portal. This step changes attribute names from outside providers to match what Dynamics 365 needs.

Note: Claim mapping in Azure happens in the Enterprise App settings. You can add or change claims in the Single Sign-On section. This helps keep claim names the same, even if different providers use different names.

Mapping claims the right way makes sure users can sign in without trouble.

Assign Users

You must assign users to Dynamics 365 so they can use Single Sign-On. You do this in Microsoft Entra ID or your chosen identity provider.

• Assign users to groups or straight to the Dynamics 365 app in Microsoft Entra ID.

• When you add a user to a group linked to Dynamics 365, the system makes or updates their account in Dynamics 365.

• If you remove a user from the group, the system takes away their access.

• The system runs regular sync cycles. These cycles update user details and group memberships.

• Use scoping filters and attribute mappings to control which users get access and what information syncs.

• Make sure each user has a record in Dynamics 365. Without this, Single Sign-On will not work.

• Microsoft Entra ID has a gallery of ready-to-use apps and connectors. These tools help you set up automatic user provisioning.

• Manage user and group assignments in Microsoft Entra ID to control who can use Dynamics 365.

✅ Assigning users through groups makes it easy to manage access. You can add or remove many users at once.

When you finish these steps, your users can sign in to Dynamics 365 with their current accounts. This setup saves time and keeps your system safe.

Test and Troubleshoot Single Sign-On

Test Single Sign-On

You need to test your Single Sign-On setup before users use Dynamics 365. Here are the steps to check if it works:

1. Open Microsoft Excel and find the Jet ribbon.

2. Click "Data Source Settings" and pick your Dynamics NAV or Business Central On-Premises data source.

3. Go to the Authentication tab and pick "Microsoft 365 authentication."

4. Type in your Azure AD info, like Tenant ID, Client application ID, Client application URI, and Server application URI.

5. Go to the Web Service tab and fill in the Server, Web Service Port, and Instance Value.

6. On the Authentication tab, click "Log In." This will open the Azure sign-in window. Enter your username and password.

7. If you sign in right, the window will close by itself.

8. Click "Test Connection" in Data Source Settings. This checks if your info works with Dynamics 365.

Note: This way does not work with Multi-Factor Authentication. Use a test account that matches your setup.

Common Issues

You might see some problems when setting up Single Sign-On. The table below shows common issues, why they happen, and what you can do:

Troubleshooting Steps

If you have trouble with Single Sign-On, try these steps to fix it:

✅ Always check your network, certificates, and user settings first. These are the most common reasons for Single Sign-On problems.

Best Practices

Security Tips

You can keep your Dynamics 365 environment safe by using good security steps.

• Turn on Multi-Factor Authentication (MFA) for all users. This adds a step to logging in and helps stop bad people.

• Use Role-Based Access Control (RBAC). Only give users the permissions they need for their jobs.

• Follow the Least Privilege Principle. Check user permissions often and take away any that are not needed.

• Encrypt your data when it is stored and when it moves across the network.

• Turn on auditing and monitoring. Watch who logs in, what changes they make, and when they look at important data.

• Protect your APIs with OAuth and API gateways if you connect Dynamics 365 to other systems.

• Check all integration points. Make sure each connection is safe and up to date.

• Teach your team about security best practices. Training helps everyone spot problems and avoid mistakes.

Tip: Write down your security rules and update them when your business changes.

Maintenance

You need to take care of your SSO setup so it works well and stays safe.

• Look at your Dynamics 365 settings often. Turn off features you do not use to lower risk.

• Update your system with the newest patches. This keeps you safe from new threats.

• Use special service accounts for integrations. Change client secrets on a regular schedule.

• Back up your data and test your backups. This helps you get your data back if something goes wrong.

• Watch user activity and audit logs. Look for signs of strange behavior.

• Limit who can export lots of data, especially for users who are leaving your company.

• Watch for updates to third-party tools and check if they follow the rules before you connect them.

✅ Ongoing security training helps your team stay ready for new threats.

Compliance

You must follow rules like GDPR and HIPAA when you use Dynamics 365. Azure helps with these rules by giving you strong tools and safeguards.
Role-based security lets you control who can see important data, which helps with privacy and security rules.
You should:

1. Find out which rules apply to your business, like GDPR or HIPAA.

2. Use Microsoft tools like Compliance Manager to check if you follow the rules.

3. Make policies and steps that match these rules.

4. Teach your staff what they need to do.

5. Check your system often to make sure you meet all the rules.

Note: Good compliance keeps your business safe from fines and helps your reputation.

You can make Single Sign-On work in Dynamics 365 by doing these main steps: First, get your system ready by syncing Active Directory, checking your domains, and adding your company’s look. Next, set up Dynamics 365 in your identity provider, like miniOrange, and choose how users will log in. Then, turn on Microsoft Graph services and use scripts to link your domain. After that, test your setup by logging in as both a service provider and an identity provider.

Always use strong security steps and keep your system updated to stay safe.

If you want to learn more, you can find new guides, how-to videos, and help forums from trusted sources.

FAQ

What should you do if users cannot sign in after SSO setup?

Check if users are assigned in your identity provider. Make sure each user has the right role in Dynamics 365. Look at claim mappings and see if they match user details. Close the browser, open it again, and try to sign in.

Can you use Multi-Factor Authentication with Dynamics 365 SSO?

Yes, you can turn on Multi-Factor Authentication in your identity provider. This gives extra security when users sign in to Dynamics 365.

How do you update certificates for SSO in Dynamics 365?

Always change certificates before they expire.

What is the best way to manage user access?

Use groups in your identity provider to manage users quickly and easily.