How to Prepare for Changes in D365 Security Authorisation Methods

Microsoft turns off Office 365 Authentication

Author: Stuart Powell | Head of Application Development | Formus Professional Software | Feb 2021

More Secure Means of Connection

Authentication is the process of verifying the identity of the user who is requesting access to a system. The authentication type specifies which security protocol is used to establish the connection.

Most software applications use an authentication method to permit connections to services, servers, or other applications. Calling on a username and password each time a user requests access, the authentication type verifies the identity of the user and specifies which security protocol is used to establish the connection.

Important changes in D365 security

The problem with the basic method is that it has been found to be vulnerable to security attacks.

The Office 365 (O365) authentication method is an example of basic authentication used to connect many services in the past. However, to protect our environments and make way for more secure means of connection, Office 365 authentication method is about to be disabled by Microsoft.

Stay Informed - Sign up to Tech News Updates

We keep a close eye on Microsoft Release Waves as there can be significant updates to software. Most good, some bad and a few ugly. While we cannot change or influence Microsoft’s actions, we do actively seek out and review these release documents.

Our Microsoft Wave updates give you a summary of the original Microsoft documents

  • Inform you of new or improved features
  • A heads-up on any tricky bits you may have to navigate
  • Include advice on how to mitigate any hidden nasties (where possible).

You can sign up to receive these MS Wave updates automatically to your email account. Alternatively, keep checking back here within our resources pages.

What is Happening with Office 365 Authentication Method?

Microsoft are intent on guiding developers away from this insecure protocol and to help utilise the capabilities of the Azure Active Directory for more secure authentication.

The deprecation affects any external service connecting to Dynamics, CDS, DataFlex Pro, MDAs.

Applications such as Azure Functions, SSIS, third party or custom apps will simply stop talking to Dynamics once the final plug is pulled.

Note: This change only impacts client applications that connect to the Microsoft Dataverse (previously known as the common data service). It does not affect custom plug-ins, workflow activities or on-premise/IFD service connections

Deprecation of the Office 365 authentication method has already begun. By April 2022 environments will no longer work with this method at all.

October 2020

The Office 365 Authentication method retired for all new tenants and unavailable for all new regions. This means that you will not be able to use this type of authentication if you create an environment within a new tenant or in a new region.

April 2021

The Office 365 authentication protocol will be retired for all new environments within a tenant. This means that you will not be able to use this type of authentication on any newly created environments within existing tenants.

April 2022

The Office 365 authentication protocol will be retired for all new and existing environments within a tenant. This means that you will not be able to use this type of authentication on any environments, newly created or existing.

How to Check if you are Using the Office 365 Authentication Method?

You will need a certain level of Dynamics 365 technical knowledge to allow you to determine if your custom clients are using the Office 365 authentication method.

Check your code for how it instantiates the CrmServiceClient.

If you are applying the Office 365 authentication type your connection string will look like:

Note: Our developers have found what we think might be a bug in the Microsoft CrmServiceClient class.
Read our article on Fixing Strange Connection Bug in the CrmServiceClient to find out more.

connectionString="AuthType=Office365; [email protected];Password=examplepassword;Url=https://exampleorg.crm.dynamics.com"

You are also using the Office 365 authentication type if you use the OrganizationServiceProxy or CrmServiceClient.OrganizationServiceProxy classes.

using (OrganizationServiceProxy organizationServiceProxy =

new OrganizationServiceProxy(serviceManagement, clientCredentials)

Once the Office 365 authentication method is removed, you will need to switch to using supported authentication methods within your custom clients.

Need Help or Advice?

We can investigate and even apply the changes for you, depending on your support package.

If you are not currently a client of ours, we may be able to help you on one of our smaller support bundles.

Call 01432 345 191 or fill out our contact form below.

 

Switching to OAuth

There are many different authentication types for connecting to Dynamics 365, some are more secure than others.

The Office 365 authentication type uses WS-Trust to establish a connection to Dynamics 365 from custom clients.
This protocol does not support modern forms of Multi-Factor Authentication and conditional access controls to customer.

While there are other protocols, we would advise using OAuth to replace your O365 method.

 

Why OAuth?

OAuth adopts up to date standards that do not simply use personal credentials. Instead, final authorisation is given using “tokens” designed to significantly improve security.

For more information on OAuth and its use of tokens we recommend you read OAuth 2: Why You Should Care by our friends over at D-Zone.

 

Applying OAuth as your replacement method

Start by switching over to use an “OAuth” based connection string as per below:

connectionString = "AuthType=OAuth;[email protected]; Password= examplepassword;Url=https:// exampleorg.crm.dynamics.com;AppId=51f81489-12ee-4a9e-aaae-a2591f45987d; RedirectUri=app://58145B91-0C36-4500-8554-080854F2AC97;LoginPrompt=Auto"

You should replace the AppId and RedirectUri values by creating your own application registration in Azure Active Directory for applications running in your tenant.

 

Using 9.2.x version of Dynamics SDK 

The 9.2.x version of Microsoft.CrmSdk.XrmTooling.CoreAssembly is planned to include auto-redirect support for Office 365 to OAuth. You can update your applications to use this package once it’s announced.

 

For any OrganizationServiceProxy classes that you have implemented in your applications you will need to do the following:

  • Replace all OrganizationServiceProxy instances that are being passed to or returned from methods to use the IOrganizationService interface.
  • Replace all OrganizationServiceProxy class constructors with CrmServiceClient class constructors. You will need to add the NuGet package Microsoft.CrmSdk.XrmTooling.CoreAssembly.

For any CrmServiceClient.OrganizationServiceProxy uses throughout your code you should:

  • Remove all use of the property as it implements IOrganizationService which exposes everything that is settable for the OrganizationServiceProxy.

Summary

In order for your custom applications to continue authenticating successfully with Dynamics 365, you need to make sure you address any Office 365 authentication methods in your code.

All new applications that you build should be implementing OAuth but for all existing applications in existing environments, you have until April 2022 to update them.

Contact us

Submit this form and one of our team will be in touch.

  • By submitting this form you are opting in to communications from Formus Professional Software and agree to our Terms of Use and Privacy Policy. Tick to confirm you are happy to proceed.
  • This field is for validation purposes and should be left unchanged.
Share