Microsoft Dynamics 365 is jam packed with state-of-the-art CRM features leveraging AI, machine learning and augmented reality. However, with Microsoft PowerApps you can extend the functionality of Dynamics 365 even further, by developing custom mobile or web-based applications that connect with data and processes within Dynamics 365.
For example, using PowerApps you could develop an application to schedule technicians for appointments and automatically update their availability in Dynamics 365. To access these applications in PowerApps, users need to sign-in through the Office 365 portal.
Let’s say you want to give access to a contractor or partner organisation to PowerApps, but you don’t want to create an internal user. By default, with both Dynamics 365 Online and PowerApps, you need to have an account created for you in Office 365 Admin Portal, or have one created through federation with Active Directory (AD).
However, through use of Azure Active Directory (Azure AD) business-to-business (B2B) collaboration, you can allow external parties to collaborate with your solution without the need for creating them a user account in AD.
In order to be able to do this, you will require the following:
To give access to an external Office 365 user, complete the follow steps:
1. Open the Azure portal via portal.azure.com
2. Navigate to Azure Active Directory via the left-hand navigation pane
3. Navigate to Users in the blade that pops out
4. Click New Guest User
5. Type in the email address of the Office 365 user you want to invite. This can be a *.onmicrosoft.com address, or a federated user name, which uses their company domain.
6. The invited user will get an email inviting them to register.
7. Meanwhile, there are some other steps that need to be performed in order to allow this guest user to be able to access Dynamics 365. First of all, we need to edit the properties of the guest user. You can do this by clicking the name of the guest user and then clicking Profile. Once the below screen appears, click Edit.
8. On the edit screen, enter the user’s first name and last name. You will also need to update the usage location, or else you will not be able to assign the user a license. Click Save and you should get a message in the top right side of the screen saying the save was successful.
9. Next step is to add the user to the Group that has been set up as the Security Group of the Dynamics 365 instance. Do this by clicking Groups in the left hand pane. Then click add and select the group, in my case the group is named “CRM Users”.
10. Once this is done, you can assign a license to the user. This is usually done in the Office 365 Admin Portal, but for an external user we use the Azure Portal as we have done for the rest of this process. You can do this by clicking Licenses in the left-hand pane.
11. Click the Assign button, and on the next screen select the license via the Products selector. You don’t need to select an Assignment option. Click Select, then Assign.
12. All being well, the Dynamics 365 license should now be displayed as assigned to the user. Sometimes this process fails if the user’s profile has only been edited recently, if this happens wait a while and try again.
13. Once the above has been completed, the prerequisites have been met for Dynamics 365 to bring in this user as a Dynamics 365 user. Wait a while and it should appear via Settings -> Security -> Users. The user should have the details you entered in the user profile in Azure.
14. You can now use your usual process to assign a Security Role to the User.
1. Once the above has been completed successfully, the guest user should be able to access Dynamics 365, but first they will need to complete the invitation they received by email. Clicking this link will result in either an Office 365 login screen, or their company’s federated login screen. Once they login, they will see the following.
2. Once they click Accept, they will see the below PowerApps screen.
3. Now they should be able to access the Dynamics 365 instance by its usual URL.
If the external party doesn’t use Office 365, they can still be registered as an external user via Gmail. However, there is an additional set of steps to activate Gmail as an authorised authentication provider.
1. To be able to do this, you will need a Gmail account that has access to the Gmail developer console. You can access this via https://console.developers.google.com/
2. Within the console, first you need to create a new project. You can do this by dropping down the menu next to your current project name, and clicking New Project (top left).
3. On the next screen, give the project a name and leave the location as the default.
4. You should then be able to select your new project via the selector that you clicked to create the new project. Once selected, click the credentials area via the left hand nav bar, and then the “OAuth consent screen” tab.
5. On the screen displayed above, enter an application name and enter microsoftonline.com as the Authorized Domain. You will need to press enter after typing in the domain name. Click Save.
6. Then, via the Credentials tab, click the Create Credentials selector and select OAuth client ID.
7. On the next select Web application. This will cause an extra section to appear, and under Authorized redirect URIs, enter the following.
8. Once this is done, you will see a screen showing the client ID and client secret for the registration. Copy both of these into a text file.
9. Back in the Azure portal, go back to Azure Active Directory and select Organizational Relationships. Under Identity Providers, click the Google button.
10. On the next screen, enter the client ID and secret.
11. Now, you should be able to invite Google users like you did for an Office 365 user!
Once the Google user has completed the invitation email, when they login to Dynamics 365 they will need to enter their Gmail email address. Their browser will then redirect to Google to login, in a similar manner as when a federated AD user tries to login to Dynamics 365. If they are set up to use Google’s 2-step verification, they should receive that prompt also.
Once logged in, they should receive the familiar Dynamics 365 screen.
The process to PowerApps is the same, as long as the App has been assigned to their security role. This can be done via the MyApps screen in Dynamics 365, which is available in PowerApps by clicking the Share button which appears next to your app.
All you need to do is then give them the URL of the app, which is available via the same share screen.
I hope you found this article useful and it has helped you understand how to collaborate with external parties using Dynamics 365 and PowerApps.
Tags: Active Directory, Azure B2B, Collaboration, Customer Relationship Management (CRM), Microsoft, Microsoft 365, Microsoft Azure, Microsoft Azure Active Directory, Microsoft Dynamics, Microsoft Dynamics 365