Поделиться через


Authenticating Users with Azure Active Directory

Azure Active Directory (Azure AD) is a cloud service that provides identity and access capabilities, such as for applications on Microsoft Azure, Microsoft Office 365, and for applications that install on-premises. If the Microsoft Dynamics NAV Server instance is configured to use the AccessControlService credential type, you can associate the Microsoft Dynamics NAV user accounts with Azure AD accounts that users use to access the Microsoft Dynamics NAV Web client, Microsoft Dynamics NAV Windows client, Office 365, and SharePoint.

For example, your users access a website, such as a SharePoint site. From there, they have single sign-on access to Microsoft Dynamics NAV because you have configured Microsoft Dynamics NAV for Azure AD.

Azure AD and Microsoft Dynamics NAV

You can use the Azure AD service to associate your existing Microsoft account with your Microsoft Dynamics NAV user account and achieve single sign-on between the Microsoft Dynamics NAV Web client and Office 365. Also, if you use Microsoft Dynamics NAV in an app for SharePoint, you can use Azure AD to achieve single sign-on between the Microsoft Dynamics NAV Web client and SharePoint. You can still host the Microsoft Dynamics NAV Server instance and Microsoft Dynamics NAV Web Server components on-premises. You do not have to deploy Microsoft Dynamics NAV on Azure to use Azure AD for user authentication.

Creating an Azure AD Tenant

If you have an Office 365 subscription that is based on a domain such as solutions.onmicrosoft.com, you are already using Azure AD because the user accounts are based on Azure AD. Then, if you add the email addresses for those user accounts to the user accounts in Microsoft Dynamics NAV, the users experience seamless integration between your SharePoint site and the Microsoft Dynamics NAV Web client.

If you want to sign up for an Office 365 plan, you can use a plan such as Office 365 Enterprise E1 as your test site, or sign up for a trial developer plan. A trial plan includes an administrative account which you will use to access the Azure management portal. For example, if your Office 365 site is Solutions.onmicrosoft.com, your administrative account can be admin@solutions.onmicrosoft.com. For more information, see Select an Office 365 plan for business.

Alternatively, you can sign up for an Azure subscription that is not associated with an Office 365 subscription. You can sign up in the Azure management portal at https://manage.windowsazure.com. Then, you can configure an Active Directory, which creates an Azure AD tenant. For more information, see Administering your Azure AD tenant.

When you create a directory in the Azure management portal, you must specify a domain name that identifies your Azure AD tenant, such as solutions.onmicrosoft.com. You will use the domain name when you add users to your Azure AD.

When you have created the Azure AD tenant, you must add users. For more information, see User account management.

Configuring Microsoft Dynamics NAV Server for Azure AD

The Microsoft Dynamics NAV Server instances that must support Azure AD must be configured to use AccessControlService as the credential type. The AccessControlService credential type for the Microsoft Dynamics NAV Server instance includes support for Azure AD so that you can achieve single sign-on between the SharePoint site and Microsoft Dynamics NAV.

You must also specify the location of the federation metadata. The federation metadata is used to establish a trust relationship between Microsoft Dynamics NAV and Azure AD. You must specify the federation metadata document URL that you retrieved from the Azure AD overview page in the configuration settings for the Microsoft Dynamics NAV Server instances. The federation metadata location is part of the client services section of the Microsoft Dynamics NAV Server configuration. For example, in the Microsoft Dynamics NAV Server Administration tool, on the Client Services tab, the Federation Metadata Location field specifies the location, such as https://login.windows.net/Solutions.onmicrosoft.com/FederationMetadata/2007-06/FederationMetadata.xml.

To configure SOAP and OData web services for Azure AD authentication, in the Microsoft Dynamics NAV Server configuration, you must specify the App ID URI that is registered for Microsoft Dynamics NAV in the Azure AD. The App ID URI is typically the same as the wtrealm parameter value of the ACSUri setting in the configuration files for the Microsoft Dynamics NAV Web client and Microsoft Dynamics NAV Windows client.

You can configure the Microsoft Dynamics NAV Server instances in the Microsoft Dynamics NAV Server Administration tool and by using Windows PowerShell cmdlets. For more information, see Configuring Microsoft Dynamics NAV Server.

Configuring Microsoft Dynamics NAV Web Server components for Azure AD

The Microsoft Dynamics NAV Web Server components that must support Azure AD must also be configured to use AccessControlService as the credential type.

Also, you must specify an ACSUri for Azure AD authentication. The ACSUri specifies the authentication page for your Azure AD tenant, such as the following: https://login.windows.net/Solutions.onmicrosoft.com/wsfed?wa=wsignin1.0%26wtrealm=https%3a%2f%2fSolutions.onmicrosoft.com%2fNAV, where Solutions.onmicrosoft.com is the domain of your Azure AD tenant, and wtrealm=https%3a%2f%2fSolutions.onmicrosoft.com is the App ID URI.

Configuring Microsoft Dynamics NAV Windows client for Azure AD

The Microsoft Dynamics NAV Windows client must also be configured to use AccessControlService as the credential type in order to support Azure AD. The ACSUri for Azure AD authentication should have the following format https://login.windows.net/<tenant>/wsfed?wa=wsignin1.0%26wtrealm=<realm>%26wreply=<reply>. The <reply> parameter in the URL must be equal to the <App URL>, for example, https://www.solutions.onmicrosoft.com/DynamicsNAV/WebClient. For a list of parameters, see the section Adding Microsoft Dynamics NAV to your Azure AD Tenant later in this topic.

Associating the Azure AD Accounts with the Microsoft Dynamics NAV User Accounts

Each user in your Azure AD tenant that will access Microsoft Dynamics NAV must be set up in Microsoft Dynamics NAV. For example, create the users with Windows authentication or with user name/password authentication, depending on your deployment scenario. But you must also specify an authentication email address on the Office 365 Authentication FastTab in the User Card window. The authentication email address is the email account for that user in your Azure AD tenant. When you combine this with the relevant configuration of the Microsoft Dynamics NAV Server instance, users achieve single sign-on when they access Microsoft Dynamics NAV Web client from the SharePoint site, for example. For more information, see How to: Create Microsoft Dynamics NAV Users.

Important

The single sign-on means that users are still signed in to Azure AD when they sign out from Microsoft Dynamics NAV, unless they close all browser windows. However, if a user selected the Keep me signed in field when they signed in, they are still signed in when they close the browser window. To fully sign out from Azure AD, the user must sign out from each application that uses Azure AD, including Microsoft Dynamics NAV and SharePoint. We recommend that you provide guidance to your users for signing out of their account when they’re done, so that you can keep your Microsoft Dynamics NAV deployment more secure.

Adding Microsoft Dynamics NAV to your Azure AD Tenant

You must register your Microsoft Dynamics NAV solution as an application in Azure AD tenant. Then, you can choose to make it available to other Azure AD tenants.

When you access your Azure AD tenant in the Azure management portal at https://manage.windowsazure.com, in the Applications view, you can add an application. When you add an application to an Azure AD tenant, you must specify the following information in the Add Application wizard:

Wizard page Field Description

1

Name

The name of your application as it will display to your users, such as Financial App by Solutions.

1

Type

Choose Web application and/or web app.

2

App URL

The URI for signing in to your Microsoft Dynamics NAV Web Server components, such as https://www.solutions.com/DynamicsNAV/WebClient/.

2

App ID URI

The URI to a domain in your Azure AD tenant, such as https://solutions.onmicrosoft.com/Financials.

Dn414569.Important(en-us,NAV.80).gifImportant
The App ID URI must be unique within the Azure AD tenant. However, if you want to share your Microsoft Dynamics NAV solution with other Azure AD tenants, the App ID URI must be unique in Azure AD.

This URI is appended to the ACSUri in the configuration settings for Microsoft Dynamics NAV Server and Microsoft Dynamics NAV Web Server components. Additionally, in the Microsoft Dynamics NAV Server configuration, it must be specified in the Azure Active Directory App ID URI setting. For more information, see Authenticating Users with Azure Active Directory.

3

Directory Access

Choose Single Sign-On.

Your Microsoft Dynamics NAV solution is now registered in your Azure AD tenant. To enable single sign-on with Azure AD, you must copy the App ID URI and the federation metadata document URL to a document of your choice for future reference. Both values are available in the overview page for the application in Azure management portal, and you will use them to configure your Microsoft Dynamics NAV Server instances.

Next, you must configure the application to be externally available. Also, you can change the logo to reflect the functionality of the application. From the overview page for Microsoft Dynamics NAV as an application, you can change configuration settings by choosing Configure. Then, save your changes.

Making Microsoft Dynamics NAV Available to Azure AD Tenants

In the overview page for the application, the URL for Granting Access field contains a URL that you can send to users in other Azure AD tenants. Then, when they choose the link, a page displays where they must agree to trust the application. If they accept, the app is added to their SharePoint site.

See Also

Tasks

How to: Create Microsoft Dynamics NAV Users
How to: Sign Up for a Microsoft Account
How to: Sign Up for a Microsoft Azure Subscription
How to: Set up Microsoft Dynamics NAV for Single Sign-on With Office 365 using Windows PowerShell

Concepts

Users and Credential Types

Other Resources

Integrating with Office 365 and SharePoint Online