Sunday, 14 January 2018

Configuring Dynamics 365 Outlook App On-Premise

Microsoft released the Outlook App with CRM 2016, and then a second much improved version with Dynamics 365, a number of issues and small bugs were identified, but the App is now stable with Update 2.2, I recommend you install this patch to get your Outlook App running smoothly.

A number of people encounter numerous technical hurdles and become frustrated with the lack of documentation available. On this blog post I will go through step-by-step on how to configure the Outlook App for an On-Premise environment, we will configure the following components:
  • CRM OAuth Configuration
  • Exchange Profile
  • ADFS Configuration
  • Pushing the Outlook App to users
Minimum Requirements
  • Dynamics 365 with IFD 
  • Dynamics 365 Update 2.2
  • Minimum ADFS 3.x due to OAuth endpoint
  • Minimum Exchange 2016 or 2013 with Cumulative Update 14 or greater
  • Office 2016 (recommended) although Office 2013 also works fine

How the Outlook App works?
The Outlook App it's an add-in installed on a user Exchange Mailbox. Exchange add-ins have been introduced with Cumulative update 14 for Exchange 2013.

The Outlook App add-in is pushed to the user Mailbox from CRM, no Exchange Server-side configuration or installation is needed, it's all done from CRM. The service account used for Exchange Synchronization requires impersonation rights in order to successfully install the add-in on the user Mailbox.

Minimum Exchange configuration:
  • Exchange Server version 15.0.1236.3.32 (Cumulative Update 14 for Exchange Server 2013) 
  • Exchange 2016

CRM OAuth Configuration
The Dynamics Outlook requires OAuth configuration, on the CRM server execute the following powershell commands:

$ClaimsSettings = Get-CrmSetting -SettingType OAuthClaimsSettings
$ClaimsSettings.Enabled = $true
Set-CrmSetting -Setting $ClaimsSettings

CRM Exchange Setup
Please refer to my previous blog post on how to configure Exchange Server Side synchronization here:

ADFS Configuration
We need to ensure the Outlook App ID is registered with ADFS to allow OAuth authentication to succeed.

First we need to retrieve the Outlook APP ID from CRM, you can access this information on the Settings Menu > Dynamics 365 App for Outlook

you will see the following screen:

Run the following command on the ADFS server:

Add-AdfsClient -ClientId  YOUR_ID  -Name "Dynamics CRM Outlook Client" -RedirectUri https://my_CRM_domain/crmmailapp/code_auth.aspx

ADFS 4.x (windows server 2016)
If you are using ADFS with Windows server 2016, in addition to the above steps, you also need to grant permissions to the Outlook App, please run the following command in powershell:

Please note the domain used here, is the IFD authentication CRM URL, usually named authcrm.domain

Grant-AdfsApplicationPermission -ClientRoleIdentifier YOUR_APP_ID -ServerRoleIdentifier "” -ScopeNames openid

ADFS Authentication Providers
Forms based authentication is required to be enabled on the intranet zone. Open the ADFS management wizard.

Click Authentication Policies > Primary Authentication > Global Settings > Authentication Methods > Edit.

Click Forms Authentication on the Intranet zone.

Installing the Outlook App
As I've mentioned earlier, the Outlook App is installed on the user mailbox from CRM. There are two methods to push the Outlook App to the user mailbox:
  • User manually pushes the Outlook App
  • Administrator pushes the Outlook App from administration panel
The user can push the Outlook App manually under the the Apps for Dynamics 365 under the Cog on the top right menu:

On this Page if the CRM user profile is correctly set up with Exchange Server-Side Sync, you should see a blue button to add the Outlook App, as per the below screenshot.

Clicking on the Outlook App Button, starts the process on the background, the user will see the below message:

To push the Outlook App to multiple users,  access the Settings menu > Dynamics 365 App for Outlook

The Eligible users section will only list users where the Exchange Server Profile was set up and the incoming and outgoing settings are set for Server-Side Exchange Synchronization, please refer to the below screenshot:

After the user Mailbox is correctly configured, you need to Test & Enable the Mailbox

Check the Dynamics 365 App for Outlook Settings Menu, the account is now visible on the Eligible Users, click Add App for Outlook, the status will change to Pending... this may take up to 2 minutes to complete, depending on your infrastructure.

When the app is successfully pushed to the user mailbox, you will see a green message: Added to Outlook 

Internet Explorer Settings
The CRM domains need to be added to the Trusted Sites and Protected Mode needs to be enabled

If you come across multiple authentication pop-ups try to enable anonymous authentication:

Run inetcpl.cpl and click on OK.

  • Go to Security Tab. Click on Trusted Sites lower the security level to Low
  • Enable Protected Mode
  • Add both the internal and external CRM domains “https://crm.domain"
  • Click on custom level and scroll down to user authentication section, select anonymous logon and save changes.

Friday, 12 February 2016

Dynamics CRM Funky Customizations

We know non-supported customizations is a big no! unless it makes sense and simplifies your users life.

The javascript code I'm sharing on this post are all DOM manipulations, they are quite handy. I have used them since CRM 2013 first release, have installed roll-ups upgraded to CRM 2015 and CRM 2016 and never had issues with it.

Highlight Mandatory Fields
Do you get users complaining is not easy to identify the missing mandatory fields? the below code highlights the entire field in red to make it more obvious what are the missing fields.

$(document).ready(function () {
$("#header_process_myField").css("background-color", "rgba(255, 179, 179, 1)"); });

Note that we passing a RGBA code, this means you can make your own colour. The below screenshots shows the end result:

Increase the BPF sidebar height
Another question often asked is related with the size of the BPF sidebar, is to small and new users don't realize they actually can slide to the right.

Another small piece of code can help our users:

 $(document).ready(function () {
 $(".ui-slider-handle").css("height", "8px");

How to add BPF Tooltips
I think this is a big miss from Microsoft, why the BPF fields don't have tooltips? I don't know!! Currently they simply repeat the name of the field, with the below code you can define the tooltips for your fields in the BPF section

var toolTipSet = [{ "field": "MyField1", "text": "This field is used for xxx" },
            { "field": "MyField2", "text": "And this field is used for yyyy" },        
 $(document).ready(function () {
var controlId;
        for (var i in toolTipSet) {
            controlId = '[id^="header_process_' + toolTipSet[i].field + '"][id$="_c"]';
            $(controlId).attr('title', toolTipSet[i].text);

Friday, 25 September 2015

Dynamics CRM performance analyzer Google Chrome and CTRL+SHIFT+Q

A quick Tip when comparing performance on different browsers, did you know in Google Chrome you should use CTRL+SHIFT+ALT + Q to retrieve the performance analyzer window?

Hope this helps

Wednesday, 8 April 2015

Dynamics CRM ADFS Gotchas

Hi All,

I've collated a number of my own notes on troubleshooting ADFS CRM IFD environments. Below are a number of issues which I've faced working on a variety of different clients I hope this is useful, please note some gotchas contain direct links to other blogs or Microsoft KB articles.

Some of this issues are well known others not so much, if you know any other issue that is not listed here please email me on: and I'll add it to the below list.

Authentication issues
Many of the authentication issues can be related with kerberos, check you have all the SPN's created correctly in particular the server SPN which is often missed.

c:\>setspn -s http/ contoso\crmserver$ 

Certificate has been revoked
An error occurred during an attempt to build the certificate chain for the relying party trust '' certificate identified by thumbprint '6DC995B18B64C7C4089C234D7AB84A425219EA5D'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the relying party trust's encryption certificate revocation settings or certificate is not within its validity period.

Resolved by running the following PowerShell command
set-ADFSRelyingPartyTrust -TargetName myCRMRP -EncryptionCertificateRevocationCheck None

SigningCertificateRevocationCheck    : CheckChainExcludeRoot (this is the default value)

EventID: 317

The error above relates to the fact that a check is done against a URL that is contained in the CDP checks run the following command to find out if you able to contact the url:
certutil.exe -verify -urlfetch .\yourCertificate-2014.crt 

Disabling the -EncryptionCertificateRevocationCheck None will stop the checks and fixes the issue

Importing IIS certificate:
To import a crt or cer certificate to IIS, first needs to be converted to pfx, you can use OpenSSL tool to do the convertion using the crt and key files.

C:\OpenSSL-Win32\bin>openssl.exe pkcs12 -export -out myPFXCertificate.pfx -inkey MyCertificate.key -in YourCertificate.crt

Note: You can also export the certificate from the MMC Certificates Snapin you have it already. otherwise if someone gives you the key and crt you can convert it with the above command.

OUTLOOK ADFS 2.1 windows 2012 server
Issues with Outlook configuration when using ADFS on windows 2012 server. Run the below SQL statements to fix the issue:

select *
 from federationprovider

update FederationProvider
set ActiveMexEndpoint = ''

Resolved by changing the ActiveMexEndPoint on the database also powershell available but was not working a hotfix is available (To be tested)

powershell to set ActiveMexEndPoint

PS C:\Users\crm13.admin> Get-CrmAdvancedSetting -ConfigurationEntityName FederationProvider -Setting ActiveMexEndpoint -
Id 8174A23D-C8A0-4612-827C-A697E4E07E7B

Chrome Authentication issues
For Chrome authentication issue disable extended protection on IIS ADFS website under ADFS> Is > authentication and disabling extended protection.

1. On the computer where the web browser is experiencing the issue, start Registry Editor (regedit), and locate the following subkey.

2. In the Lsa subkey, locate the SuppressExtendedProtection value. If the value does not exist, you must add it. To add the value, right-click Lsa, point to New, and then click DWORD (32-bit) Value. Type SuppressExtendedProtection, and then press ENTER.

3. Right-click SuppressExtendedProtection, click Modify, and enter 1 (REG_DWORD).

Also the below registry key will disable all Extended Protection:

Session timeout - Token LifeTime
To increase a user session duration, increase the token Life time by running the following powershell command: 
PS > Add-PSSnapin Microsoft.Adfs.PowerShell 
Get-ADFSRelyingPartyTrust -Name "relying_party"
 set-ADFSRelyingPartyTrust -TargetName MyRelyingPartyName -TokenLifetime 480

Can't connect to federation URL

netsh http show urlacl

this will show reserved HTTP url namespaces, you will find urls that can't resolve SID because ADFs was installed and removed later.

Deleted all stale records

Token Decryption key Issue
Ah encrypted security token was received at the relying party which could not be decrypted. Configure the relying party with a suitable decryption certificate. Current relying party decryption certificate info:
No Certificate Configured ---> Microsoft.IdentityModel.Tokens.EncryptedTokenDecryptionFailedException: ID4036: The key needed to decrypt the encrypted security token could not be resolved from the following security key identifier

AppPool Service account permissions to the certificate and iis reset to make the changes to take effect.

Changing ADFS Port
STS expired click sign-in and get the below error:
Error Details: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to False


a) Enable user profile loading
b) copy the machine keys
c) Enable NLB in CRM deployment manager

ADFS3.0 Gotchas

Forms not loading on external RPT
The external relying party trust is recognized by ADFS as internal and not loading correctly the forms

MSIS7102: Requested Authentication Method is not supported on the STS.

ADFS 3.0 Outlook Configuration issue Microsoft.Crm.CrmException: Authentication failed
Issues with Outlook configuration when accessing CRM IFD ADFS 3.0 

Issue with the port where ADFS 3 is listening, to fix the issue run the command:
Set-ADFSProperties –nettcpport 809

Monday, 24 November 2014

Dynamics CRM 2013 Performance Optimization

Hi All,

I was one of the speakers at the latest CRM UG UK event at the Microsoft offices in Reading. My presentation topic was Dynamics CRM Performance aimed at improving the multiple layers of a network communication between the CRM client and the CRM server:

  1. Client Layer
  2. Network 
  3. Server
  4. Database
  5. Customization's

It's 34 slides with loads of information and useful tools. Please leave your feedback on my blog if you download it and would like to share your thoughts.

You can access my presentation and other speakers presentations on the following link:

Sunday, 24 August 2014

Dynamics CRM 2013 online implementing single sign-on

On this article I will walk you through how to set up single sign-on with your CRM Online instance using your company domain name. I'm using the Azure portal to perform most of the configuration however if you only have access to office 365 portal I will also demonstrate the same configuration is available via the office 365 portal. Towards the end of the article I also show how Multi Factor Authentication could be implemented as an extra level of security for cloud users.

Throughout the article you will find hyperlinks to Microsoft msdn articles on the related subject.

Lets take a brief look at the steps we are taking to configure single sign-on.
  1. Set up the domain
    • Add your company domain and verify using TXT or MX DNS records
  2. Set up AD User Principal Names 
    • Configuring additional UPN if you not using an external resolvable FQDN domain for your UPNs
  3. Configure AD sync to Azure AD
    • How to enable directory synchronization
  4. ADFS Federate the domain with Azure AD
    • Federate the domain you added on step 1 with Azure AD using Powershell
  5. Testing/Troubleshooting
    • Testing and troubleshooting the configuration using Microsoft online tool
  6. Logging on with Multi Factor Authentication
    • Authentication with Single sign-on plus Multi Factor Authentication
  7. Azure portal and Office 365 portal
    • Overview of both portals and how to configure the same steps in office 365 portal
The installation of the ADFS server or the installation of the Windows Azure Active Directory Synchronization tool is not covered on this article, if you need help with ADFS or the Directory Synch Tool or if you have any questions regarding the set up of single sign-on please don't hesitate to contact me on 

1. Set up the Domain
The first step is to add your company domain to Azure and verify it by adding a custom TXT record to your domain DNS zone.

To do this Navigate to Active Directory and choose Default Directory navigate to the Domains tab and on the bottom of the page click Add Domain. Type the domain and select "I plan to configure this domain for single sign-on"

On the domains tab you now see the newly added domain and says unverified

Click Verify at the bottom of the page and you should get details of the TXT record to add to your DNS zone. Later on step 7 I show you how office 365 portal makes things slightly easier when adding a custom domain.

In your DNS server you should add a TXT record as follows:

2. Set up AD User Principal Names
For Single sign on to work users UPN need to be resolved externally this means your users UPN logon name must be resolved externally. If you are using .local internal domains you can add extra UPN's to your internal Active directory and instruct users to start logging on with the new UPN.

To set up additional UPN suffixes open Active Directory Domains and Trusts right click the root and properties, add the domain you just verified on step 1

Open Active Directory users and computers right click on a test account and click properties on the account tab you will see that from the drop down box after user logon name you have an additional UPN available.

3. Configure AD synchronization to Azure
To configure your local Active directory to sync user accounts and groups to Azure AD you will need to install and configure the Windows Azure Active Directory Sync Tool.

Before you can go ahead and synchronize your local AD environment to Azure you need to make sure you Activate Azure for Directory Synchronization. Navigate to Active Directory click Default Active Directory and click the tab Directory Integration:

The installation and configuration of the tool is out of scope of this article, you can find loads of information online about how to install and configure the Windows Azure Active Directory Sync Tool.

When the synchronization is complete check Azure if your user and group accounts are now visible on your AD instance in Azure.

Note: After you synchronize users to Azure/Office 365 they need to be activated and licenses assigned. By default users are deactivated when synchronized to the cloud.

4. ADFS - Federate the domain with Azure AD
This is the step where you connect your ADFS server to Azure and federate your company domain for single sign-on. This process will automatically add to your ADFS server a relying party trust with office 365.

First you need to install Azure Active Directory Power Shell Tools so you can connect to your Azure Active Directory instance and run a few commands to federated domain with Azure:

Connect-MsolService –Credential $cred
Set-MsolAdfscontext -Computer MyADFSserver
Convert-MsolDomainToFederated –DomainName

Download windows power-shell:

Set up a trust between ADFS and Azure AD:

When completed you should see the following Relaying party trust in your ADFS server:

5. Testing/Troubleshooting 
Microsoft provides the Remote Connectivity Analyzer tool to test and troubleshooting the multiple layers of a single sign-on implementation and provides detailed information if anything goes wrong.

You can access the tool here: 

6. logging on
If all goes well when you access your online CRM instance you should see Microsoft redirecting you to your company ADFS server for authentication and the ADFS server will issue a token saying that your credentials have been verified. However in my scenario, I've configured my test account with Multi Factor Authentication. When I attempt to logon it stops me and sends me a text message with a code for me to check my identify, screenshots below:

Note that for global administrators Multi Factor Authentication is free, so you can test this in your test environment.

A code was sent to my phone in a couple of seconds and I just had to insert that code for CRM to load. Although the user didn't have to insert her password because it's configured for single sign-on she was configured for multi factor authentication which forced an extra level of security.

You also have the Microsoft Phone App which can be used for Multi factor Authentication instead of text messages.

After inserting the code and clicking sign in I land on my CRM online instance.

7. Azure and Office 365 portals
Azure and Office 365 portals are very similar with regards to providing menus to set up domains and single-sign on configuration. If you have access to the Azure instance associated to your office 365 account you will notice that everything that you configure in Azure will automatically surface in Office 365 and the same way if you do any configuration in Office 365 will also surface in Azure both portals connect to the same "collection" of services e.g your active directory instance in the cloud.

Below a few screenshots of office 365 portal showing you where to find and configure the same features we have just done in Azure.

When you open your office 365 portal you can easily locate the domains link, here you can add new domains and easily access the information needed to verify your domain by adding either a TXT or MX record to your DNS server

When you click Add domain, you will be taken to a 3 step process to create, confirm and verify the domain you just added.

When selecting general instructions the below page comes up with all the information you need to create the required TXT or MX record on your DNS zone to verify the domain.

Users and Single Sign-On configuration. 
Clicking on the Users & Groups and Active users you can  manage all user accounts including passwords and licenses. Notice that from this configuration panel you can also manage:
  1. Single-sign on
  2. Enable Directory synchronization
  3. Change password policy
  4. Configure multi-factor authentication.

clicking Manage Single sign-on provides you with a 10 step process on how to implement Single sign-on with your company AD and the office 365 platform. This is exactly the same as in the Azure - Directory Integration steps, which have been simplified into 4 main topics with child steps below as you can see on the below screenshots

Azure Portal

Office 365

I hope the article was useful please leave your feedback. I have not covered some features in great detail like how to install and configure ADFS or the windows Azure Synchronization tool this would make the all article very long and remove the focus from single sign-on.

Thursday, 31 July 2014

Free Webinar Azure ADFS domain federation with CRM Online

I'm doing a series of free webinars on Dynamics CRM and starting with how to federate your company domain with Azure and provide single sign-on with an Azure VM and Multi Factor Authentication.

If you interested please register your place here:

Below you find more information on what will be covered on the day. In a nutshell the webinar session will cover Azure VMs providing domain and ADFS single sign-on authentication for CRM online plus the configuration of Multi Factor authentication. Multi factor authentication is a process which helps protecting organization data enforcing two-factor user authentication.
  • Azure and office 365 portal
  • Session overview configuration steps
  • Adding a domain to Azure portal
  • Verify the domain
  • Overview of ADFS configuration and SSL certifcate configuration
  • Install & Connect to Azure powershell
  • Promote the newly added domain to federated domain.
  • Adding users to CRM online
  • Enable Multi Factor Authentication
  • Question and Answers

    If you have an on-premise Dynamics CRM instance there will be relevant information to on-premise configuration scenarios with ADFS and Azure.
Please leave your feedback, comments or any questions you may have.

If you would like to contact me directly please feel free to drop me an email to: