ADFS - Azure AD - Dynamics 365

  • 182 Views
  • Last Post 28 March 2017
Anthony.Vandenbossche posted this 23 March 2017

Hello All,

 

I’m back again with a question concerning a

Dynamics 365 for Operations deployment, in other words: AX as a SaaS app. We already make use of O365 together with WAP/ADFS on premises to have Web SSO for Sharepoint Online among others. By default, Dyn365 uses the same authentication schema as all

the rest of O365 services such as Exchange Online, Sharepoint Online, meaning that users get redirected towards ADFS for authentication (the domain name used in the user’s UPN is a federated domain).

 

For the Dyn365 deployment we have some additional security requirements, such as only allowing a specific IP range to the application. We can make this happen with ADFS 2016 using

Conditional Access Policies so no problem there. However J: as stated earlier, only 1 Relying Party is present on ADFS and thus implementing

extra security measures, implicates other O365 services such as Exchange Online. You see the problem here. I do not want to impact other services than Dyn365 with these (a bit absurd I know) security requirements.

 

Do you guys have any ideas on how to accomplish this? I was thinking about some complex Claims Rules in ADFS on the O365 Relying Party to distinguish between the different sources,

show

Order By: Standard | Newest | Votes
bdesmond posted this 23 March 2017

Azure AD Premium and Conditional Access is what you want. You’ll be redirected to AD FS, but the access policies (network location in your case)

will be implemented in AAD. You could add a 30 day trial to a tenant and try it out.


 



Thanks,

Brian Desmond

 

(w) 312.625.1438 | (c) 312.731.3132



 

show

Anthony.Vandenbossche posted this 23 March 2017

Hi Brian,

 

So if I understand the flow correctly:

 

1.     

User accesses the app

2.     

Azure AD login page shows up

3.     

Users fills in UPN/e-mail

4.     

Home Realm Discovery sends user to ADFS

5.     

In LAN IWA/SSO takes place | externally FBA is performed

6.     

Redirect back towards Azure AD

7.     

Access Policies kick in

8.     

Access is blocked when user doesn’t comply

 

Correct?

 

Thanks!




ANTHONY VAN DEN BOSSCHE


Technical Consultant


Hybrid Cloud



You can mail me

anthony.vandenbossche@xxxxxxxxxxxxxxxx


Call me at my UC number +32 2 801 54 59




RD Portal



www.realdolmen.com



This e-mail message and any attachment are intended for the sole use of the recipient(s) named above and may contain information which is confidential and/or protected

by intellectual property rights. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. If you have

received this e-mail in error, please notify the sender either by telephone (+32 2 801 55 55) or by e-mail and delete the material from any computer. Please note that neither Realdolmen nor the sender accept any responsibility for viruses and it is your responsibility

to scan or otherwise check this e-mail and any attachments.  Realdolmen is responsible neither for the correct and complete transfer of the contents of the sent e-mail, nor for the receipt on due time.



Think green, keep it on your screen



 

show

bdesmond posted this 23 March 2017

That’s it.

 



Thanks,

Brian Desmond

 

(w) 312.625.1438 | (c) 312.731.3132



 

show

Anthony.Vandenbossche posted this 28 March 2017

Brian,

 

I fear that the suggestion you made is not yet possible on Azure AD. The official answer of MS:

 

Hello Anthony,

 

As Dyn365 is already part of O365 Suit. There isn’t any separate

Enterprise

application for Dyn365 you can add. You can either completely enable/disable the App for induvidual users.

 

The option you are requesting is absolutely valid that Dyn365 should be a separete application so you can apply condtional acess seperately, but that isnt an option for

now.

 

However I would request you to vote your Ideas here 

https://feedback.azure.com/ so that it can be considered by the product group.

 

 

Best Regards,

Milan

 

I anything changes concerning this requirement, I’ll give you an update.

 

PS:

I did post a suggestion on the feedback page, of you want submit your vote

J: 



https://feedback.azure.com/forums/34192--general-feedback/suggestions/18753469-having-a-separate-relying-party-trust-on-adfs-for

 

Kr,




ANTHONY VAN DEN BOSSCHE


Technical Consultant


Hybrid Cloud



You can mail me

anthony.vandenbossche@xxxxxxxxxxxxxxxx


Call me at my UC number +32 2 801 54 59



RD Portal



www.realdolmen.com



This e-mail message and any attachment are intended for the sole use of the recipient(s) named above and may contain information which is confidential and/or protected

by intellectual property rights. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. If you have

received this e-mail in error, please notify the sender either by telephone (+32 2 801 55 55) or by e-mail and delete the material from any computer. Please note that neither Realdolmen nor the sender accept any responsibility for viruses and it is your responsibility

to scan or otherwise check this e-mail and any attachments.  Realdolmen is responsible neither for the correct and complete transfer of the contents of the sent e-mail, nor for the receipt on due time.



Think green, keep it on your screen



 

show

Close