cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
ternarywat
Regular Visitor

Deploying Application User for Multi-tenent server-to-server authentication

Hello,

 

I am a developer working on building an integration for my web app to query the Common Data Service APIs. I have been following the docs on how to authenticate with CDS and set up my application Azure Active Directory, but I am very confused on how to make this easy for my users to set up. I ultimately want my users to install a solution from AppSource, authenticate through my web app, and start using the integration as needed.

 

I'm specifically confused with the last section of the multi-tenant authentication docs that recommend the following:

 

You must include a custom security role which defines what privileges your application requires and then make sure that the application user is associated to that custom security role. Because a custom security role can be included in a solution, you should prepare a managed solution which contains the definition of the custom security role and any other solution components your application requires.

 

> However, the application user cannot be included with a solution so you will need to provide a way to create this application user and associate it with the custom security role.

> There are several ways that you can achieve this, including writing your own program using the web services and having the subscriber run the program.

 

I understand what a "managed solution" does, but where I'm confused from the above is:

 

* Can I write code that runs as part of the installation process of my Appsource package? If so, where are the docs to help get me started on that?

* If I am not able to write code, how do folks generally handle the creation of the user? Do you share a script with your customers to run, have them create it manually, or do something else?

 

Thank you!

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
EricRegnier
Super User
Super User

Hi @ternarywat,

I'm pretty sure you can include an install package with the CDS managed solution, deployment guide (readme) and scripts (e.g. PowerShell) in AppSource or even direct users to your company's web page to download and install the package. You'll only need to submit the app and go through a review and approval process at https://appsource.microsoft.com/en-us/partners/signup. You can submit a support ticket to get more help about AppSource at https://support.microsoft.com/en-us/supportforbusiness/productselection?sapId=48734891-ee9a-5d77-bf2....

Below are answers to your questions:

  1. "a custom security role can be included in a solution, you should prepare a managed solution" You'll need to create a custom security role in CDS and assign that role to the app user after it's created in CDS. The custom role has to be included in the managed solution that your customers will download and install so that the role exists in their environment to successfully assign the role.
  2. the application user cannot be included with a solution so you will need to provide a way to create this application user. Unlike my previous point #1 where you can include a security role to a CDS solution, unfortunately you can't include an app user (or other types of users) in a solution. Those are considered as data, so the best way to automatically create the user and assign the role is to script it, such as with PowerShell. There are a few CDS PowerShell modules to facilitate the scripts such as: https://github.com/seanmcne/Microsoft.Xrm.Data.PowerShell

Hope this makes sense!

 

View solution in original post

I'm pretty sure you can include an install package with the CDS managed solution, deployment guide (readme) and scripts (e.g. PowerShell) in AppSource or even direct users to your company's web page to download and install the package

 

This was the clue I was looking for and I missed while exploring the docs. I've been researching Managed Solutions, when I actually need to be looking into Packages. This reference led me to this section of the docs:

 

https://docs.microsoft.com/en-us/powerapps/developer/common-data-service/introduction-solutions#depl...

 

which then led me to this tutorial:

 

https://docs.microsoft.com/en-us/powerapps/developer/common-data-service/package-deployer/create-pac...

 

Is that the correct documentation page I should reference to write the code to create a user as part of my package?

View solution in original post

6 REPLIES 6
ben-thompson
Solution Sage
Solution Sage

Before replying with details exactly how is your application going to talk to the CDS instance.

Will the CDS instance call your azure function to perform a task or will your azure function be sending the data to the CDS instance directly?
---
If this post has answered your question please consider it for "Accept as Solution" or if it has been helpful give it a "Thumbs Up".

>Will the CDS instance call your azure function to perform a task or will your azure function be sending the data to the CDS instance directly?

 

My application will be sending data to the CDS instance directly.

 

IDK if this helps, but this is a separate web application running outside of Azure (e.g. a python web app), so I don't plan on using an azure function. 

 

 

EricRegnier
Super User
Super User

Hi @ternarywat,

I'm pretty sure you can include an install package with the CDS managed solution, deployment guide (readme) and scripts (e.g. PowerShell) in AppSource or even direct users to your company's web page to download and install the package. You'll only need to submit the app and go through a review and approval process at https://appsource.microsoft.com/en-us/partners/signup. You can submit a support ticket to get more help about AppSource at https://support.microsoft.com/en-us/supportforbusiness/productselection?sapId=48734891-ee9a-5d77-bf2....

Below are answers to your questions:

  1. "a custom security role can be included in a solution, you should prepare a managed solution" You'll need to create a custom security role in CDS and assign that role to the app user after it's created in CDS. The custom role has to be included in the managed solution that your customers will download and install so that the role exists in their environment to successfully assign the role.
  2. the application user cannot be included with a solution so you will need to provide a way to create this application user. Unlike my previous point #1 where you can include a security role to a CDS solution, unfortunately you can't include an app user (or other types of users) in a solution. Those are considered as data, so the best way to automatically create the user and assign the role is to script it, such as with PowerShell. There are a few CDS PowerShell modules to facilitate the scripts such as: https://github.com/seanmcne/Microsoft.Xrm.Data.PowerShell

Hope this makes sense!

 

View solution in original post

As you app is sending data to the CDS system you system will need credentials to login to the CDS instance - that might be a problem as a lot of companies will not allow direct remote access into their systems and they will have to configure the credentials for you - it is not possible to do it within CDS without manual intervention as the important part would be a secret key created within Azure Active Directory. https://docs.microsoft.com/en-us/azure/marketplace/partner-center-portal/commercial-marketplace-lead... shows how Microsoft does it and you would need to do something similar.

 

The way I've got around it for one of the things I'm working on is to use a Scheduled Power Automate / Flow task that gets a secret key (which you can generate in CDS) and passes that key as part of the scheduled request to our servers. In the response to the request we then send all the new and updated objects in an JSON object that the next step in the Flow processes.

 

*In reality the scheduled task calls an action within the CDS instance and the action does all the work but I know there are other options available.

---
If this post has answered your question please consider it for "Accept as Solution" or if it has been helpful give it a "Thumbs Up".

I'm pretty sure you can include an install package with the CDS managed solution, deployment guide (readme) and scripts (e.g. PowerShell) in AppSource or even direct users to your company's web page to download and install the package

 

This was the clue I was looking for and I missed while exploring the docs. I've been researching Managed Solutions, when I actually need to be looking into Packages. This reference led me to this section of the docs:

 

https://docs.microsoft.com/en-us/powerapps/developer/common-data-service/introduction-solutions#depl...

 

which then led me to this tutorial:

 

https://docs.microsoft.com/en-us/powerapps/developer/common-data-service/package-deployer/create-pac...

 

Is that the correct documentation page I should reference to write the code to create a user as part of my package?

View solution in original post

Yep, that's exactly it. You can write C# code after different stages of the CDS solution import process, include data import files and include HTML pages to guide the user at the different steps of the installation. That's also the package I believe you can submit to Microsoft Appstore review.

Helpful resources

Announcements
User Group Leader Meeting January 768x460.png

Calling all User Group Leaders!

Don't miss the User Group Leader meetings on January, 24th & 25th, 2022.

Community Connections 768x460.jpg

Community & How To Videos

Check out the new Power Platform Community Connections gallery!

Users online (1,308)