Dynamics 365 – Connecting your app using MFA

MFA is becoming a common thing, as joyous as it is to use 🙂

I have a C# app that connects to Dynamics CRM/365 and I had to update it to support Microsoft Azure MFA.

I couldn’t really find any definitive guide out there, i had to cobble all different things together to get a working solution.

I hope this guide helps out some other poor sucker like me.

 

1. I had to update my application to use the modern CRM Tooling method of connection.

I added the following in Nuget to my solution – the key being the CrmTooling which supports the new connection string method of connecting.

In my code, i changed the way i obtained an IOrganizationService to the below (simplified):

 

This gets me a connection using the new Tooling DLL and a CRM Connection string.

 

Next step, you need to create an application in Azure AD.  I followed this guide.

The trick is the Redirect URI – i wasn’t working with a web app – I ended up using http://localhost

https://docs.microsoft.com/en-us/dynamics365/customer-engagement/developer/walkthrough-register-dynamics-365-app-azure-active-directory

 

Finally, constructing a connection string that would work with the new registered Azure App.

AuthType=OAuth;Url=https://yourcrm.crm.dynamics.com;AppId=yournewappid;RedirectUri=http://localhost;

 

Now when you go to connect, the Microsoft Sign In assistant pops up and handles the authentication to the CRM Instance.

And, if you have MFA turned on, you are also prompted with MFA.

 

Happy Days!

 

Dynamics CRM 365 – On Prem – Invalid Trace Directory

Looks like another piece of CRM team awesomeness.

The Tracing directory should be:

C:\Program Files\Microsoft Dynamics CRM\Trace

 

But some update somewhere changes it to:

c:\crmdrop\logs

 

That’s not very helpful.

I initially tried to change the trace directory back to the right place using CRM PowerShell, but that failed with authentication errors (that i have also posted on here – http://paulobrien.co.nz/2018/03/07/get-crmsetting-powershell-the-caller-was-not-authenticated-by-the-service-the-request-for-security-token-could-not-be-satisfied-because-authentication-failed/).

 

This is the guide i tried using the powershell method – makes sense, if powershell crm wasn’t broken as well.

How to fix ‘Invalid Trace Directory’ errors

 

So ended up changing in the CRM Database and registry:

 

 

And in the MSCRM_CONFIG database:

 

 

Get-CrmSetting powershell – The caller was not authenticated by the service / The request for security token could not be satisfied because authentication failed.

Had a need to run CRM powershell on an On-premise CRM Server.

I’ve had this same issue before where any powershell command you run against the Microsoft.Crm.PowerShell provider fails with authentication errors.

In this example, i was trying to run this and it barfed on Get-CrmSetting ….

 

Turned out to fix it, i needed to add a registry key.  After i did this it worked straight away (no need to reboot or reopen the PS window).

 

Method 2 in this article:

https://support.microsoft.com/en-us/help/896861/you-receive-error-401-1-when-you-browse-a-web-site-that-uses-integrate