Setup Azure AD with ADFS as Dynamics on-prem IDP

Introduction

Today, we will outline the necessary steps to integrate Active Directory Federation Services and Azure AD as a Claims Provider Trust for Dynamics 365 on-prem environments. This production-ready solution can integrate multiple Azure Active Directories to expand the external access for Dynamics 365 on-prem environments. This approach can provide more security and granular controls to ensure system security.

Key Benefits

  • Enhanced security and logging through Azure Active Directory.
  • No need to sync users to Azure Active Directory using Azure AD Connect; therefore, there is no need to create users in the active local directory.
  • Leverage Azure B2B features.
  • Get the most out of pure, cloud-only Azure AD environments.

Assumptions

  • These instructions are based on the following assumptions:
  • ADFS is already installed and configured (We can set up SSO with Azure AD without ADFS. However, that is not a production-ready solution as we will lose the desktop and mobile applications because of the application ID).

Claim Based Authentication And Internet-Facing Deployment Is Already Configured And Working As Excepted For Dynamics 365 On-Prem Environment.

Azure AD Configuration

This section will add our on-premises ADFS server as an application in Azure AD.

  1. Login to https://aad.portal.azure.com using the Global Admin user of your office 365 Tenant.
  2. Navigate to the “Azure Active Directory” -> “App Registration” and click on new Registration.

Streamline Dynamics On-Premises Authentication with Azure AD

AlphaBOLD can help you streamline authentication for your Dynamics on-premises environment using Azure AD and ADFS. Are you ready to improve your authentication process?

Request a Consultation
This image shows the Azure AD Configuration in
  1. Enter the Application Name and click Register.
This image shows Enter the Application Name in Azure AD
  1. Open the newly created application and update the Application ID URI and Redirect URIs.
  2. To get the Application ID URI, open the ADFS Server management console and click on the ADFS. After that, click on Edit Federation Service Properties and use this URL as an Application ID URI in the Azure Active Directory.
this image shows the ADFS Server management in Setup Azure AD
  1. From the Overview panel, click on the Add an Application ID URI
this image shows Overview panel the Setup Azure AD
  1. Click on Set and replace the existing value with the ADFS Federation Identifier URI.
this image shows the ADFS Federation Identifier URI in Azure AD
this image shows the Set ADFS
  1. Update Redirect URIs, and then navigate to Authentication. Now click Add a platform and select Web.
This image shows the navigate to Authentication
  1. Enter the ADFS URL, as shown in the following exhibit.
this image shows ADFS URL
  1. Now copy the Federation Metadata URL.
  2. Click on the Overview panel, click the Endpoints, and copy the Federation Metadata document URL. We need this URL to add the Claims Provider Trust in ADFS.
This image shows Claims Provider Trust in ADFS of Azure AD

At this point, we have successfully created the ADFS application in Azure Active Directory. Now let’s move to the next part, where we will add Azure AD as Claims Provider Trust in the on-prem ADFS environment.

Further Reading: Automate ML Models Deployment With Azure Services

Setup Claims Provider Trust In ADFS

In this step, we will add Azure AD as an identity provider in ADFS.

  1. Open the AD FS Management tool. Click on Claims Provider Trust.
this image shows AD FS Management tool
  1. Click on Add Claims Provider Trust and click Start.
This image shows Add Claims Provider Trust
  1. Enter the Federation Metadata URL copied from Azure Active Directory ADFS application Endpoints.
This image shows Azure Active Directory ADFS application Endpoints.
  1. Enter the Name and then click Next.
this image shows the Enter the Name
this image shows the ready to add trust

Further Reading: Optimizing Business Strategy And Technical Implementation With DataDevOps On Azure

Click Next and then click Finish.

  1. Add the Claim Rules and select AzureAD from the Claim Provider Trust list. Click Edit Claim Rules and then click add new Rule.
this image shows Claim Rules in the Azure AD
  1. Select Transform incoming Rule and click Next
this image shows the Transform incoming Rule
  1. Enter the name of Rule, select “name” from the incoming claim drop-down, and select UPN from the outgoing claim list. Click on Pass through all claim values.
This image shows the Pass through all claim values

Configure The Relying Party Trust

For the next part of the configuration, we will assume that the claim-based authentication for the Dynamics environment is already in place and that the UPN pass-through rule has also been created as part of the claim-based authentication for Dynamics. We must enable the Relying Party Trust to accept claims from the AzureAD claims provider. We will be using the Power Shell to make these configuration changes.

  1. Login to ADFS server and open elevated Power Shell.
  2. Enter the following command to update the Dynamics Relying Trust Party to accept claims from both the Internal Active Directory and Azure Active Directory.
    • Import-module ADFS
    • Set-AdfsRelyingPartyTrust -TargetName “auth.ayk*****.com” -ClaimsProviderName @(“Active Directory”,”AzureAD”)

Further Reading: Simplify Your Azure Infrastructure With Azure Blueprints

(Replace the Name with your Dynamics Relying Party Trust and the names of your Claims Provider Trusts)

this image shows Dynamics Relying Party Trust
  1. Reset ADFS services and verify the Dynamics Access using Azure AD user

Secure your Dynamics On-Premises with Azure AD Integration

Looking to enhance security and streamline access for your Dynamics on-premises environment? AlphaBOLD's Azure Services are here to guide you through integrating Azure AD with ADFS.

Request a Consultation

Verify Dynamics Federated Access

At this stage, we have successfully configured federated trust between on-premises ADFS and AzureAD. The prerequisite for this, however, is that we have already created a new user in Dynamics for the AzureAD User and assigned appropriate roles.

  1. Launch any internet browser and open the Dynamics external URL. It should redirect to the ADFS login page, and AzureAD IDP should be visible. Click on AzureAD to be redirected to the Microsoft Login page.
this image shows the AzureAD IDP
  1. Enter your Office 365 credentials, after successful authentication, you should be redirected back to the Dynamics home page.
this image show's Office 365 credentials
this image shows sales activity social dashboard

I hope this blog has helped you set up Azure AD with ADFS as Dynamics on-prem IDP quickly. Feel free to leave a comment below if you have any questions. Our BOLDEnthusiasts will be happy to help!

Explore Recent Blog Posts