One of my colleagues had a question today… His customer has split their company in two tenants and their Dynamics 365 for Operations was still in one of the tenant (TenantA). The users in the new tenant (TenantB) needed access and he wondered how they could do this.
The first step for doing this is to create an Azure AD guest account invitation in the Azure Portal (In Tenant A). Go to Azure Active Directory – Users – New Guest User.
The user receives an email where they can approve the invite…
When the user in Tenant B accepts the invite a “placeholder account” will be created in TenantA and this account will be linked to the users account in Tenant B. The user can not log in using his account in TenantB but will be treated as a user in TenantB and the security policies from Tenant A (MFA) will be applied. Once the user has accepted the invite we need to import the user in Dynamics. Go to System Administration – Users and select Import User. Search for the user and import it.
Most organizations today are using Azure AD and the absolute recommendation is to use 2FA in as many scenarios as possible… in some that is not possible… then there is an option to use an application password (this should be uses in special cases and you should never use it on an Admin Account). To create an App Password you do the following:
Log in to https://portal.office.com
In the upper right corner click your profile picture and select “My Account”
Go to “Security and Privacy” and click “Create and manage app passwords”
I am so sorry about the click bait title… I could not resist
Todays adventure consists of troubleshooting why Report Editor and Workflow Editor stopped working in our Dynamics 365 for Operations environment. First som history:
This all started in one of our environments where we noticed that Report Designer for Management Reporter (Financial Reports) was not working… after some troubleshooting we called MS Support and did two days of troubleshooting I got the suggestion to try this in another environment (I am a little annoyed that I did not do this before) and of course it worked. Well, that did not really provida a lead to the root cause. One day later I got a request to configure PowerBI in the environment where it worked and later that day once again tested in the “working” environment and low and behold… it did not work!!! What the_____? This got me thinking about what could have caused this… I installed PowerBI… could it be… Yes it could.
I remembered that I had read in the description of the PowerBI configuration that there was a caveat in the configuration of the Azure AD Application:
“App ID URI: This value is mandatory, but isn’t required for the workspace integration. Make sure that this App ID URI is a mock URI like https://contosoAX, since using the URL of your deployment can cause sign-in issues in other AAD applications such as the Excel Add-in.”
So I went back to Azure AD and I had unfortunately not done this…
I changed this in both environments and… Voilá… it worked.
Note: This has been changed in my original post on PowerBI
In AX 2012 and prior it was a little tricky to add external users. You basically could not, so you needed to add an Active Directory Account to your AD and import it as a AX user. You might not want to add external users in your AD.
This is much easier in AX7 (it should be Dynamics AX but it is much harder to search for on the internets)… much, much easier… you see AX 7 does not handle identity at all… it trusts Azure Active Directory for this. A requirement is that the external company uses Azure Active Directory.
Note (Added later): If you have set up the AX install in Azure using LCS the “default” Azure Active Directory is the one connected for your Azure tenant. These users are not treated as external users and do not need the modification below.
So, to add an external user to AX you go to System Administration – Users and click New to add a new user. The user we want to add in our example is Kalle Kula, Kalle has the email address firstname.lastname@example.org
The only thing missing is that we need to specify the Azure AD tenant in the domain field and set it to https://sts.windows.net/innoworks.com (which is not completely visible in the screenshot)