Like
Share
ReportIntroduction
There are numerous inquiries from partners and customers about how to conduct UI performance testing on Finance and operations with JMeter without disabling the Multifactor authentication (MFA). MFA is designed to prevent brute-force attacks and unauthorized access attempts, so it's generally recommended to disable MFA for testing accounts during performance testing. This is because the added security layer can complicate the process and performance testing should be target and planned activity. However, in today's security-conscious environment, many organizations—whether in testing or non-production settings—are not permitted to disable MFA, even for performance testing. As a result, certain settings, depending on the organization, may not allow bypassing MFA for specific testing accounts. In this blog post, I will present a strategy to conduct UI performance testing that maintains security integrity even when MFA is enabled. This approach supports that performance testing can be carried out effectively without compromising security measures.
There are numerous inquiries from partners and customers about how to conduct UI performance testing on Finance and operations with JMeter without disabling the Multifactor authentication (MFA). MFA is designed to prevent brute-force attacks and unauthorized access attempts, so it's generally recommended to disable MFA for testing accounts during performance testing. This is because the added security layer can complicate the process and performance testing should be target and planned activity. However, in today's security-conscious environment, many organizations—whether in testing or non-production settings—are not permitted to disable MFA, even for performance testing. As a result, certain settings, depending on the organization, may not allow bypassing MFA for specific testing accounts. In this blog post, I will present a strategy to conduct UI performance testing that maintains security integrity even when MFA is enabled. This approach supports that performance testing can be carried out effectively without compromising security measures.
The Pain Points
There are many types of authentication and verification methods available in Microsoft Entra ID Authentication methods and features - Microsoft Entra ID | Microsoft Learn. For example, passwordless sign-in with Microsoft Authenticator requires users to extra authenticate by retrieving a number from the login page and entering it into the Phone Authenticator. Automating this process is challenging due to the lack of an API, requiring additional integration development.
There are many types of authentication and verification methods available in Microsoft Entra ID Authentication methods and features - Microsoft Entra ID | Microsoft Learn. For example, passwordless sign-in with Microsoft Authenticator requires users to extra authenticate by retrieving a number from the login page and entering it into the Phone Authenticator. Automating this process is challenging due to the lack of an API, requiring additional integration development.
How It Works and My Approach
My suggested approach is to bypass this authentication process and start the UI performance testing from the Finance and Operations page instead of authentication page. This approach should help with performance testing when MFA or SSO is enabled. However, be aware that this method is not fully automated, it requires effort to update the necessary values before starting the performance test. Specifically, the approach will skip the Entra ID login and rely on the session token from the cookie to validate the login information.
My suggested approach is to bypass this authentication process and start the UI performance testing from the Finance and Operations page instead of authentication page. This approach should help with performance testing when MFA or SSO is enabled. However, be aware that this method is not fully automated, it requires effort to update the necessary values before starting the performance test. Specifically, the approach will skip the Entra ID login and rely on the session token from the cookie to validate the login information.
Prerequisite: You have a complete JMX script which followed my previous blog post, your JMX script should have a similar login section. Those samplers in login section is simulate user login via login.microsoftonline.com with email and password, but they will be ineffective when MFA is enabled.
Step 1: Extract Cookies from Dynamics 365 Finance and Operations
- Log in to Dynamics 365 Finance and Operations Apps using Microsoft Edge.
- Press Ctrl+Shift+I or F12 to open Developer Tools.
- Navigate to the Application tab.
- Expand the Cookies section and locate the cookies associated with the current URL.
- A list of data will be displayed in the right pane—this information will be used in the next step.
Step 2: Configure CSV Data Set in JMeter
- In your JMX script, go to the Test Plan.
- Create a new CSV Data Set Config.
- Provide the following values:
- Filename: Path to your CSV file (e.g., Login_cookie.csv).
- Variable Names: owinauth, aos, csrftoken
- Delimiter: ','
- In the CSV file (e.g., Login_cookie.csv), copy the values from the browser cookies into the file. Specifically, extract the values for DynamicsOwinAuth, ms-dyn-affinity, and ms-dyn-csrftoken in that order, separated by commas.
Step 3: Set Up HTTP Cookie Manager in JMeter
- In your JMX script, locate the HTTP Cookie Manager within the Test Plan.
- If you don't have an HTTP Cookie Manager in the Test plan, create one.
- Add three new lines to the Cookie Manager with the following details:
Name Value Domain Path Secure ms-dyn-affinity ${aos} .${host} / Checked ms-dyn-csrftoken ${csrftoken} ${host} / Checked DynamicsOwinAuth ${owinauth} .${host} / Checked
Step 4: Disable Login in JMX Script
- Disable the Login Controller or any related login samplers in the JMX script.
Step 5: Execute the JMX Script
- Run the JMX script. The script will start from the Finance and Operations page, effectively skipping the login process.
Authentication will be validated using the cookies provided in the HTTP Cookie Manager. The server will recognize the user alias from the cookie information, allowing you to perform the testing seamlessly.
A new Purchase order has been successfully created using the testing account.
Summary
In this post, I have outlined the approach for conducting UI performance testing with JMeter when MFA is enabled. Since we are copying the session token from a cookie, the session token will expire after some time, requiring you to update these values in the cookie manager periodically. While I haven't tested this approach with all types of authentications, I believe it can be applied to most scenarios.
In this post, I have outlined the approach for conducting UI performance testing with JMeter when MFA is enabled. Since we are copying the session token from a cookie, the session token will expire after some time, requiring you to update these values in the cookie manager periodically. While I haven't tested this approach with all types of authentications, I believe it can be applied to most scenarios.
Blog series included:
- Part 1 – Dynamics 365 finance and operations apps performance testing with JMeter - Introduction
- Part 2 – Dynamics 365 finance and operations apps performance testing with JMeter - Execution
- Part 3 – Dynamics 365 finance and operations apps performance testing with JMeter - Result Analysis
- Part 4 – Dynamics 365 finance and operations apps performance testing with JMeter - Tips and Troubleshooting
- Part 5 – Dynamics 365 finance and operations apps performance testing with JMeter - MFA
*This post is locked for comments