Edytuj

Udostępnij za pośrednictwem

Configure Lifecycle Services connectivity for Finance + Operations (on-premises) deployments

  • Artykuł

An on-premises local agent is used to orchestrate the deployment and servicing of Microsoft Dynamics 365 Finance + Operations (on-premises) through Microsoft Dynamics Lifecycle Services. To establish connectivity from Lifecycle Services to the Finance + Operations (on-premises) tenant, you must configure a certificate that enables the local agent to act on behalf of your Microsoft Entra tenant (for example, contoso.onmicrosoft.com).

Use either the on-premises agent certificate that you acquired from a certification authority (CA) or the self-signed certificate that you generated by using the infrastructure scripts. The on-premises agent certificate could previously be reused across multiple sandbox and production environments per tenant. However, we no longer recommend that approach for the new authentication process.

First-time setup

The user who runs the script must have privileges to create Microsoft Entra applications in their tenant. The script creates a new application and service principal in the tenant. It then registers a certificate. This certificate serves as the credential that is used for authentication.

To help reduce the impact of a security incident that is caused by a compromised certificate, we recommend that every environment has its own Microsoft Entra application, service principal, and certificate.

To create the Microsoft Entra application and service principal, and to register the certificate, follow these steps.

  1. Run the following command to create the Microsoft Entra application and service principal, and to register the certificate.

    # If you have issues downloading the Azure PowerShell Az module, run the following:
# [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Install-Module Az -RequiredVersion 12.3.0
.\Set-LCSEntraApplication.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -ApplicationDisplayName 'Display name of the application'

Note

If multiple tenants are associated with the sign-in account, you can run the following command to pass the tenant ID as a parameter. In this way, you ensure that the context is set to the correct tenant.

.\Set-LCSEntraApplication.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -ApplicationDisplayName 'Display name of the application' -TenantId 'xxxx-xxxx-xxxx-xxxx'

Certificate renewal

Eventually, your certificate will expire. You must then renew the certificate and update the service principal with the new certificate.

To renew the certificate and update the service principal with the new certificate, follow these steps.

  1. Renew the certificate by using the same process that you used to create the original certificate.

  2. Run the following command to update the service principal with the new certificate.

    .\Set-LCSEntraApplication.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -RotateCertificate

Validating that the certificate is correctly registered

To validate that the certificate is correctly registered, run the following command.

.\Set-LCSEntraApplication.ps1 -ConfigurationFilePath .\ConfigTemplate.xml -Test