Overview of Dynamics 365 portal security
Portal Security Concerns
Anonymous users should be given the least amount of access, meaning only the public content.
The customers, suppliers, or partners should be able to log in to the portal and submit and modify their own data.
Power users or senior admin staff might want more sensitive information in the decision-making process or when serving the clients. As an example, granting membership to a club might require additional approval based on the data provided in the application.
The most secure level is handled only by the administrators or any other authenticated users or internal staff.
Local authentication uses the contact records of Dynamics 365 for Customer Engagement for authorization. This is implemented through the common form-based authentication.
The ASP.NET Identity API is used for implementing external authentication, which includes user credential management done through a third-party identity provider. This includes Google, Yahoo, and OAuth 2.0–based providers such as Microsoft, Facebook, and Twitter. When configured, the external identity will have the same access as the internal identity.
You can use invitations and trigger confirmation e-mails with both these approaches. Portal administrators have the ability to enable or disable any of these combinations through the Site Settings. As explained, when you configure a portal, by default the contact-based authentication is configured. In the next section, let’s look at the capabilities of the contact-based authentication approach.
Contact-Based Authentication
This is considered to be the simplest form of authentication you will get with Dynamics 365 portals; it uses the contacts of the Dynamics 365 for Customer Engagement organization.
Register a User
Login page of the portal
Contact’s Profile page
Contact record created after user registration
Pages accessible to the authenticated user
Authenticated user accessing web page
An anonymous users cannot see this page
System admin login
Now there is a new editor available for system administrators (Figure 2-9). Please note that at the time of writing this book, this editor is in preview mode. You can learn more about the new content editor at https://docs.microsoft.com/en-us/dynamics365/customer-engagement/portals/portal-new-content-editor.
Note
Microsoft has most recently introduced PowerApps Portal, which enables organizations to create low-code portal solutions for their external customers and allows them to interact with common Data Sources. Microsoft has also started merging the capabilities offered by the Dynamics 365 for Customer Engagement portal with PowerApps Portal. For further reading, please visit https://powerapps.microsoft.com/en-us/blog/introducing-powerapps-portals-powerful-low-code-websites-for-external-users/.
New portal editor
Changing the password for a contact
Selecting a contact from the lookup and changing the password
Please note that the password is visible, and it is always a good practice to advise the contact to change it at the next login. In the next section, you will look at external authentication.
External Authentication
Microsoft
Google
Yahoo
Facebook
Twitter
LinkedIn
Note
For the brevity of this book, I will be discussing the configuration of the Microsoft and Google authentication providers. For other provider configuration, please visit https://docs.microsoft.com/en-us/dynamics365/customer-engagement/portals/configure-oauth2-settings. Also, note that you can specify multiple providers so that the visitors can select the one they most prefer.
The external identity providers that are based on OAuth 2.0 require you to register an application to acquire the client ID and client secret. Most of the time, when registering the application, the redirect URL to the portal must be specified so that the user will be redirected back to the portal. Then, in the portal’s Site Settings, this client ID and the client secret are configured to establish a secure connection between Dynamoics 365 portals an the external identity provider. First, let’s look at how to set up Google as the external identity provider.
- 1.Navigate to Google Developer Console: https://console.developers.google.com. You will be requested to log in using your Google credentials. You can select an existing project, or you can create a new project, as shown in Figure 2-12.
Figure 2-12Creating a new Google API project
- 2.Click New Project to create a new project. You can enter a new project name or leave the default one and click Create (Figure 2-13).
Figure 2-13Creating a new project
- 3.Navigate to the Credentials section and click Create Credentials, as shown in Figure 2-14. From the drop-down options, select OAuth Client ID.
Figure 2-14Creating credentials
- 4.Then you will be directed to the form to select the application type. From the options, select Web Application. This will display the form shown in Figure 2-15. You also need to enter the following entries:
- a.
Authorized JavaScript origins: This is the URL of the portal/web page where your request originates.
- b.
Authorized redirect URIs: This is the callback URL that will be used to redirect the user once the request validation is successful.
After entering these values, click Create.
Figure 2-15Selecting an application type
- a.
- 5.
Now the credentials are created, and you will be prompted with the client ID and client secret (Figure 2-16).
Figure 2-16Client ID and client secret
You need to take note of the client ID. The client secret is not required here.
- 6.Once all this is done, you must update the Site Settings of the portal. Navigate to Portals and then to Site Settings. The following are the entries you should set up. These settings have the format of Authentication/OpenIdConnect /<provider> /<Setting>. The provider will be used as the caption on the login screen.
Authentication/OpenIdConnect/Google/Authority: This is the URI to get the authentication token.
Authentication/OpenIdConnect/Google/ClientId: This is the client ID generated when you created the credentials, which is registered with the Google API.
Authentication/OpenIdConnect/Google/RedirectUri: This should be the same value that you enter when registering the Google API.
Google authentication entries
Google “Sign-in” button
Sign in with Google prompt
Registering with a Google e-mail address
Profile page
You can see the “E-mail address” field is populated with your Gmail address.
- 1.
Previously this was done through https://account.live.com/developers/applications/index.
As of May 2019, this will no longer available, and the application registration will be done through Azure Portal. Log in to Azure Portal and navigate to the App Registration section. Navigate to the “Owned applications” tab, as shown in Figure 2-22.
Figure 2-22Creating the app registration
Note
App registration was replaced in May 2019.
- 2.Click the +New registration and enter the following fields:
- a.
Name of the application.
- b.
“Supported account types” determines what type of accounts have access, and for this example, we will be selecting the third option: “Accounts in any organizational directory and personal Microsoft accounts (e.g., Outlook, Skype, Xbox).”
- c.
Finally, specify the redirect URL. The redirect URL is important for most authentication scenarios. As discussed, this URL will be used to return the authentication response.
Once the application is successfully registered, you will be redirected to the screen shown in Figure 2-24.
Figure 2-24Registered application overview
On this form, you can see that the application ID is displayed. When you register the application, you will not get a client secret. The client secret must be generated, and it can be done by going into “Certificate & secrets.”
- a.
- 3.Under “Certificate & secrets,” click “Create a new secret,” as shown in Figure 2-25. Specify the name and the expire settings.
Figure 2-25Creating a client secret
- 4.
The next step is to configure the Site Settings (Figure 2-26). Navigate to the portal’s configuration and then to Site Settings. The following settings are already entered under the Active Site Settings; you only need to populate the values.
Authentication/OpenAuth/Microsoft/Caption: This is the caption of the button.
Authentication/OpenAuth/Microsoft/ClientId: This value is from the authentication provider application. You can find the client ID on the Overview page.
Authentication/OpenAuth/Microsoft/ClientSecret: This value is from the authentication provider application. You need to enter the client secret you’ve generated here.
Figure 2-26Microsoft authentication settings
- 5.Navigate to the sign-in page of the portal; you will see the Microsoft button as an external sign-in option (Figure 2-27).
Figure 2-27Sign-in page with Microsoft authentication
- 6.Click the Microsoft button, and it will prompt you to enter your Microsoft ID (Figure 2-28). As usual, enter the e-mail and password.
Figure 2-28Microsoft login screen
Allowing the application to access your information
Registering your e-mail
Profile page for the externally authenticated user
Similar to this, you can configure the other external authentication providers based on your client requirements. In the next section, you will look at the Azure AD B2C configuration.
Azure AD B2C Provider
Azure Active Directory B2C is an identity management service that enables you to configure and control user authentication with your web, mobile, desktop, or single-page application. The Azure AD B2C allows the users of your application to sign up, sign in, edit profiles, and reset passwords. This authentication mechanism is built on the OpenID and OAuth 2.0 protocols, which use a security token to provide secure access to your application. This book will look at how Azure AD B2C can be used to provide authentication to your Dynamics 365 portals. It is highly recommended that you have some background knowledge about Azure AD B2C before commencing this section. For more details about Azure AD B2C, please visit https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview.
Application-Name represents the portal as a trusted party.
Application-ID is linked with the application created in Azure Active Directory B2C.
Policy-Sign in-URL is the issuer URL specified in metadata endpoint.
Federation-Name is the distinctive name to identify the B2C provider and is used with Site Settings to group configuration settings for this specific provider.
Create an Azure AD B2C Tenant
- 1.Next, choose “+Create a resource” in the top-left corner of the portal and search and select Active Directory B2C.
Figure 2-32Azure Active Directory B2C home page
- 2.Click the Create button. On this screen, enter the relevant details and click Create at the bottom-right corner of the screen (Figure 2-33).
Figure 2-33Creating an Azure AD B2C tenant
- 3.As the next step, click the “Link an existing Azure B2C Tenant to my Azure Subscription” and enter the details, as shown in Figure 2-34.
Figure 2-34Linking an existing Azure AD B2C tenant to you Azure subscription
- 4.Before starting to use the tenant, you must make sure that you are using the directory that contains the tenant. Click the subscription page, and the Global Subscription filter will be shown on the right side of the browser window. Switch the directory if required (Figure 2-35).
Figure 2-35Switching the directory
- 5.The next step is to register the application. On the Applications tab, click +Add, as shown in Figure 2-36.
Figure 2-36Adding a new application
On the next screen, enter the name of the application and select Yes for both “Include web app/ web API” and “Allow implicit flow.” Also, set the reply URLs as shown in Figure 2-37.
Figure 2-37New application settings
- 6.Now that you have created the application, you must generate the key on the Keys tab (Figure 2-38). Copy the value when generated, because you will not be able to view the value again. But you can remove the existing one and can always generate a new one.
Figure 2-38Generating a key
- 7.The next step is to create the sign-up and sign-in policy. This is done through user flows. You can learn more about user flows from the following link: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-policies#create-a-sign-up-or-sign-in-policy. Select User Flows from the left pane and click +Create New in the toolbar. On the next screen (Figure 2-39), you will see three tabs: Recommended, Preview, and All. You should start by selecting the user flow type. For this example, we will be selecting recommended flows, which can be used for most applications.
Figure 2-39Selecting a user flow type
- 8.
On the Create screen, there are a few mandatory fields that you should fill in. First, you should enter the name, which is a unique string to identify the user flow requests to Azure AD B2C (Figure 2-40).
Note Since this is a lengthy form, each section will be explained separately.
Figure 2-40User flow name
- 9.As shown in Figure 2-41, you can define the identity providers, and you should select at least one here. So we will be selecting the default one for this example. Also, you could define multifactor authentication here, but let’s leave it disabled for this example.
Figure 2-41Defining identity providers
- 10.The next step is to define the user attributes and claims that are collected during sign-up. By default on this screen, only a few fields are defined. Click the “Show more” link to add more fields. After selecting the fields required, then click the Ok button (Figure 2-42).
Figure 2-42User attributes and claims
- 11.Finally, click the Create button at the bottom of the screen to complete the process, and the new user flow will be created. Similarly, create the user flow for Profile Editing and Password Reset. As shown in Figure 2-43, all flows you have created will be listed.
Figure 2-43List of user flows created
- 12.After creating the user flows, you must set the following settings for each flow you have created. Open the Properties tab of the flow and under “Token compatibility settings,” select the URL with the /tfp/, as shown in Figure 2-44. This will be used to identify the claims that issued the token.
Figure 2-44User flow properties
Perform this action for the other flows you have created. There are other properties on this form, and you can configure them as per the requirements.
Portal Configuration
- 1.
Sign into the Dynamics 365 portal app and open Site Settings. Create the following entries:
Name | Value |
|---|---|
Authenticationn/OpenIdConnect/B2C/Authority | <The issuer URL> |
Authentication/OpenIdConnect/B2C/ClientId | 2f9237da-553f-41b0-a79f-374e83ba8b28 |
Authentication/OpenIdConnect/B2C/RedirectUri |
- 2.
To support the federated sign-out, create the following entry in Site Settings:
Name | Value |
|---|---|
Authentication/OpenIdConnection/B2C/ExternalLogoutEnabled | true |
- 3.
Create the following entry to hard-code the portal to a single identity provider:
Name | Value |
|---|---|
Authentication/OpenIdConnection/B2C/LoginButtonAuthenticationType | <Policy sign in URL> |
- 4.
Configure the password reset and create the following entries:
Name | Value |
|---|---|
Authentication/OpenIdConnect/B2C/PasswordResetPolicyId | <ID of password reset policy> |
Authentication/OpenIdConnect/B2C/ValidIssuers | <A comma-separated list of issuers that includes the policy sign-in URL and the issuer> |
Authentication/OpenIdConnect/B2C/DefaultPolicyId | <ID of the sign-in/sign-up policy> |
- 5.
To support the claims mapping, enter the following entries:
Name | Value |
|---|---|
Authentication/OpenIdConnect/B2C/RegistrationClaimsMapping | emailaddress1=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress,firstname=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname,lastname=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname |
- 6.
Then enter the caption of the button:
Name | Value |
|---|---|
Authentication/OpenIdConnect/B2C/Caption | Azure AD B2C |
For more settings such as related site settings, related content snippets, etc., please visit https://docs.microsoft.com/en-us/dynamics365/customer-engagement/portals/azure-ad-b2c#portal-configuration.
Azure B2C Site Settings
Sign-in page, Azure AD B2C
Azure AD B2C login screen
User Authorization
No matter what authentication technique is used in your portal, once a user is authenticated, you should authorize the user. This means you are giving authorization to perform certain tasks on the portal. First, let’s look at web roles, which are the cornerstone for authorizing the contacts.
Web Roles
Active web roles
Anonymous Users and Authenticated Users web roles
- 1.
Name: The value of this property is a descriptive name that will be used to identify the web role.
- 2.
Website: This is the associated web site of the web role.
- 3.
Description: This is an optional field that can be filled only if you want to add more detail about the role.
- 4.
Authenticated User Role: This is a Boolean value, and if set to true, then the role will be the default for authenticated users. There can be only one web role with this setting set to true. This will be the default web role for authenticated users who have not been assigned a web role.
- 5.
Anonymous User Role: This also a Boolean value, and if set to true, then the role will be the default for unauthenticated users. There can be only one web role with this setting set to true, and it will be the default web role for unauthenticated users. This will solely adhere to the entity permissions.
The administrator permission is the superuser for the portal, and by default, the role cannot do much. Therefore, you should edit this role to make it a proper Administrator role. In addition to these, you can create other web roles as per your requirements. The next level of web roles is the entity permissions, which will determine the record-level access of the authenticated users.
Entity Permissions
The entity permissions are used to grant record-level permissions to authenticated users. Once the entity permissions are created, they can be associated with the web roles. You should keep in mind that an authenticated portal user can have multiple roles, and a given web role will have multiple entity permissions. As a best practice, when you design the portal, you should consider determining the web roles and entity permissions. You can create the entity permissions under the entity permissions and add them to the web roles. For instance, the example of this book uses event management. Let’s assume we want to provide entity permission to administrators for the Event entity.
Event entity permissions
Global scope: If a contact is assigned the web role, which is assigned with an entity permission with a Global scope, then the contact will have access to all the records in the given entity. For more information, visit https://docs.microsoft.com/en-us/dynamics365/customer-engagement/portals/assign-entity-permissions#global-scope.
Contact scope: If a contact is assigned a web role that has an entity permission with a Contact scope, then the user will only have access to the records associated with that contact of the user. This means the records will be filtered by the current user. For more information, visit https://docs.microsoft.com/en-us/dynamics365/customer-engagement/portals/assign-entity-permissions#contact-scope.
Account scope: This scope will allow the users (contacts) to access the records within the same account. For more information, visit https://docs.microsoft.com/en-us/dynamics365/customer-engagement/portals/assign-entity-permissions#account-scope.
Self scope: This is to make changes to their own contact record such as the default access a user has to the profile page. But if the user requires access to any custom entity forms or web forms, then they will require this permission. For more information, visit https://docs.microsoft.com/en-us/dynamics365/customer-engagement/portals/assign-entity-permissions#self-scope.
Parent scope: This is the most complex of all the scopes described. When this scope is applied, it means the privileges to the entity record are granted through the parent-child relationship chain. For more information, visit https://docs.microsoft.com/en-us/dynamics365/customer-engagement/portals/assign-entity-permissions#parental-scope. A nice example is given here that can be used with the Dynamics 365 portals: https://community.adxstudio.com/products/adxstudio-portals/documentation/configuration-guide/entity-permissions/attributes-and-relationships/
In our example, we will be giving full access to the event records for those users who have the Event Administrator role. This Event Administrator role will be associated with the Event entity admin permission that was created earlier. The next step is to create the child permissions to related record. The requirement is that the Event Administrators should have access to all the events, event registrations, payments, and other event planning details.
Child entity permission settings
Enter all the required information and select Parent as the scope; you will notice a new section appears so you can enter the relationship details. This implies that the event administrator will have full control over the event registration of a given event.
Important
For these permissions to work, you must enable entity permissions on the entity lists and entity forms. See Figure 2-52 and Figure 2-53. Furthermore, the child or the related entity must have a subgrid on the parent form. That is, the event form should list all the related event registrations that the user can click and open. In addition, you should also configure the Event Registration entity forms with create and edit permissions. In the next chapter, this book will demonstrate the actual usage of this permission when configuring and editing lists and forms.
Entity form enabled for entity permissions
Entity list enabled for entity permissions
Control Web Page Access for Portals
Web page access control rules
Web page access rules
Web Page: This is the page the rules will apply to, and it will be applied to all the child pages of this page. So, you must be extra careful because if you select the home page, the rule will be applied to all the pages within the portal.
Right: There are two options available: Grant Change and Restrict Read.
Grant Change enables the user in the web role linked with the rule to publish content changes to both the current page and its child pages. Grant Change will take precedence over a restricted read. For instance, within a given event details page, the event organizer should be able to publish updates, but they should not have the full access rights to other parts of the site. You should set the Grant Change right on the event page and assign the associating web role to the relevant contact/user, making them the publisher of this event. If you want to allow front-end editing, then you should always look into setting up Grant Change rules.
Restrict Read will limit specific users from viewing a page and its child pages. This is a restrictive rule that limits a set of users. For instance, you might want the event organizers to access the event section of the portal only.
Scope: This property will have two option. “All content” means the security validations will be enforced on all the child content. “Exclude direct child web files” will ignore child web content directly related to the current web page from the security validations. The default value is “All content.”
How this works is bit tricky. Let’s assume a scenario where you have four web pages: wp1, wp2, wp3, and wp4. If you want to give access to wp1 and wp2 to the anonymous user, restrict wp3 and wp4 using an authenticated web role for the access control rule. The logged-in/authenticated users can see wp3 and wp4, and the anonymous users can see wp1 and wp2 but not wp3 and wp4. If the anonymous user clicks the wp3 or wp4 link, they will be directed to the sign-in page.
Create Web Site Access Permissions
Web site access permissions
Manage Content Snippets allows modifications to the snippet control.
Manage Site Markers permits modifications to the hyperlinks that use the site markers.
Manage Weblink Sets permits adding and removing links from the web link sets.
Preview Unpublished Entities allows users to view the portal-enabled entities in draft mode.
As shown in Figure 2-56, you can specify the web roles for this rule on the Web Roles tab.
Summary
With that, I have covered most of the important security aspects of portals including both authentication and authorization. In the next chapter, I will demonstrate how to display content on the web pages.