Collaborating with External Parties in Dynamics 365 and PowerApps

Microsoft Dynamics 365 is jam packed with state-of-the-art CRM features leveraging AI, machine learning and augmented reality. However, with Microsoft PowerApps you can extend the functionality of Dynamics 365 even further, by developing custom mobile or web-based applications that connect with data and processes within Dynamics 365.

For example, using PowerApps you could develop an application to schedule technicians for appointments and automatically update their availability in Dynamics 365. To access these applications in PowerApps, users need to sign-in through the Office 365 portal.

So what happens when you want to collaborate with external parties?

Let’s say you want to give access to a contractor or partner organisation to PowerApps, but you don’t want to create an internal user. By default, with both Dynamics 365 Online and PowerApps, you need to have an account created for you in Office 365 Admin Portal, or have one created through federation with Active Directory (AD).

However, through use of Azure Active Directory (Azure AD) business-to-business (B2B) collaboration, you can allow external parties to collaborate with your solution without the need for creating them a user account in AD.

Prerequisites

In order to be able to do this, you will require the following:

• Your Dynamics 365 instance set up with a related Security Group
• A security role (or roles) set up with the access you want your guest users to have
• Spare licenses with the appropriate level of access for those users

How to give access to external Office 365 users

To give access to an external Office 365 user, complete the follow steps:

1. Open the Azure portal via portal.azure.com

2. Navigate to Azure Active Directory via the left-hand navigation pane

3. Navigate to Users in the blade that pops out

4. Click New Guest User

5. Type in the email address of the Office 365 user you want to invite. This can be a *.onmicrosoft.com address, or a federated user name, which uses their company domain.

Invite user

6. The invited user will get an email inviting them to register.

Invitation

7. Meanwhile, there are some other steps that need to be performed in order to allow this guest user to be able to access Dynamics 365. First of all, we need to edit the properties of the guest user. You can do this by clicking the name of the guest user and then clicking Profile. Once the below screen appears, click Edit.

Edit guest user properties

8. On the edit screen, enter the user’s first name and last name. You will also need to update the usage location, or else you will not be able to assign the user a license. Click Save and you should get a message in the top right side of the screen saying the save was successful.

9. Next step is to add the user to the Group that has been set up as the Security Group of the Dynamics 365 instance. Do this by clicking Groups in the left hand pane. Then click add and select the group, in my case the group is named “CRM Users”.

Add user to group

10. Once this is done, you can assign a license to the user. This is usually done in the Office 365 Admin Portal, but for an external user we use the Azure Portal as we have done for the rest of this process. You can do this by clicking Licenses in the left-hand pane.

Assign license

11. Click the Assign button, and on the next screen select the license via the Products selector. You don’t need to select an Assignment option. Click Select, then Assign.

Select license

12. All being well, the Dynamics 365 license should now be displayed as assigned to the user. Sometimes this process fails if the user’s profile has only been edited recently, if this happens wait a while and try again.

13. Once the above has been completed, the prerequisites have been met for Dynamics 365 to bring in this user as a Dynamics 365 user. Wait a while and it should appear via Settings -> Security -> Users. The user should have the details you entered in the user profile in Azure.

View Enabled Users

14. You can now use your usual process to assign a Security Role to the User.

What the Office 365 User sees

1. Once the above has been completed successfully, the guest user should be able to access Dynamics 365, but first they will need to complete the invitation they received by email. Clicking this link will result in either an Office 365 login screen, or their company’s federated login screen. Once they login, they will see the following.

Office 365 login screen

2. Once they click Accept, they will see the below PowerApps screen.

3. Now they should be able to access the Dynamics 365 instance by its usual URL.

How to give access to external Gmail users

If the external party doesn’t use Office 365, they can still be registered as an external user via Gmail. However, there is an additional set of steps to activate Gmail as an authorised authentication provider.

1. To be able to do this, you will need a Gmail account that has access to the Gmail developer console. You can access this via https://console.developers.google.com/

2. Within the console, first you need to create a new project. You can do this by dropping down the menu next to your current project name, and clicking New Project (top left).

Add new project in Gmail developer console

3. On the next screen, give the project a name and leave the location as the default.

Create a new project

4. You should then be able to select your new project via the selector that you clicked to create the new project. Once selected, click the credentials area via the left hand nav bar, and then the “OAuth consent screen” tab.

OAuth concent screen

5. On the screen displayed above, enter an application name and enter microsoftonline.com as the Authorized Domain. You will need to press enter after typing in the domain name. Click Save.

Enter application name

6. Then, via the Credentials tab, click the Create Credentials selector and select OAuth client ID.

Create credentials

7. On the next select Web application. This will cause an extra section to appear, and under Authorized redirect URIs, enter the following.

1.  https://login.microsoftonline.com
2.  https://login.microsoftonline.com/te/{AZUREADID}/oauth2/authresp
   NOTE: the {AZUREADID} must be replaced with your Azure AD Directory ID. This can be retrieved by going back to the Azure portal, and navigating to Azure Active Directory -> Properties. From there click the copy button next to Directory ID

Azure Active Directory

Authorized redirect URL’s

8. Once this is done, you will see a screen showing the client ID and client secret for the registration. Copy both of these into a text file.

Client ID

9. Back in the Azure portal, go back to Azure Active Directory and select Organizational Relationships. Under Identity Providers, click the Google button.

10. On the next screen, enter the client ID and secret.

11. Now, you should be able to invite Google users like you did for an Office 365 user!

What the Google User sees

Once the Google user has completed the invitation email, when they login to Dynamics 365 they will need to enter their Gmail email address. Their browser will then redirect to Google to login, in a similar manner as when a federated AD user tries to login to Dynamics 365. If they are set up to use Google’s 2-step verification, they should receive that prompt also.

Google sign-in screen

Once logged in, they should receive the familiar Dynamics 365 screen.

Giving Access to PowerApps

The process to PowerApps is the same, as long as the App has been assigned to their security role. This can be done via the MyApps screen in Dynamics 365, which is available in PowerApps by clicking the Share button which appears next to your app.

Sharing from PowerApps

All you need to do is then give them the URL of the app, which is available via the same share screen.

I hope you found this article useful and it has helped you understand how to collaborate with external parties using Dynamics 365 and PowerApps.

Want to learn more about Dynamics 365?

If you are facing challenges like this or would like to learn more about Dynamics 365 follow me on LinkedIn or contact our team of Dynamics 365 Specialists at Data^#3.