Dynamics GP 2018: Organizational Accounts and Workflow
Like
Share
ReportBecause this new functionality will allow more customers to utilize Workflow and the fact that the Azure portal has changed since we last wrote about this feature we wanted to get this updated blog published for you, the Dynamics GP community.
Creating the Azure Active Directory and Application
For the purposes of this blog I’m assuming that you have an Office 365 subscription that grants you access to Azure. In my internal testing I created an O365 Developer subscription, which created a domain.onmicrosoft.com domain and admin user for my use.
https://manage.windowsazure.com
3. You then need to create the application that will be used for GP Web Client authentication. To do this click the App registrations link on the left hand side, under the Azure Active Directory:
4. Click ‘New Registration’ if you don’t already have an App registration created that you plan to use, then provide a Namefor the App Registration.
Under ‘Supported account types’, select the option:
‘Accounts in any organizational directory (Any Azure AD directory – Single Tenant)’
For the ‘Redirect URl (optional)’, leave the first field set to ‘Web’ and then in the second field, add your actual Dynamics GP Web Client URL, such as this example:
***NOTE: Do not use the Azure domain name in the URL, otherwise Web Client will experience connection issues when launching.***
Configuring the Windows Azure Application
1. Once the App Registration completes, it’ll open the new App Registration window showing the properties, such as this example:
2. Copy the Application (Client) ID value for later use in the Dynamics GP Web Components installation.
3. In the App Registration overview window, click on ‘Expose an API’ on the left side.
At the top of this window, click the ‘Set’ link next to ‘Application ID URl’ and for the Application ID URl, enter the Web Client URL but using your Azure domain instead, such as this example:
4. Still under the App Registration, on the left side, click on ‘Certificates & Secrets’. In this window, click to create a ‘New client secret’, then, in the ‘Add a client secret’ window, enter a Description such as something mentioning Web Client, then an expiration timeframe. In my case, the longest I could choose was 2 years using the ‘Custom’ selection. Click Add.
5. The Client Secret will create and show you a window with the description/name you just named it, the expiration date, along with a ‘Value’ and ‘Secret ID’.
Copy both the ‘Value’ and ‘Secret ID’ values. You’ll need these during the Dynamics GP Web Components installation as well.
6. Still under the App Registration, click on ‘API Permissions’.
By default, you should see the User.Read delegated permission for Microsoft Graph.
Click on ‘Add a permission’ and then under Microsoft Graph, choose ‘Delegated permissions’ and then find and mark the option for ‘User.ReadBasic.All’ then click ‘Add permissions’ to save the change.
Click on ‘Add a permission’ a second time, and again, under Microsoft.Graph, this time choose ‘Application permissions’, then find and mark the option for ‘Directory.Read.All’ and then ‘Add Permissions to save the change.
7. Lastly, still in the API Permissions window, click the option for ‘Grant admin consent for Default Directory’ and then ‘Yes’ when prompted to confirm, so it should now show as this example:
Dynamics GP Web Client Installation
When upgrading to Dynamics GP 2018 from an earlier version or initializing a new instance you will be presented with the Authentication Type windows in GP Utilities when the system (e.g. DYNAMICS) database is upgraded/created.
You will want to set Authenticate Type to Organization Account and specify the Azure AD Domain Name you created above as well as the Web Components Server and Web Components Database you intend to use when you install the Web Components (this database will be called GPCONFIGURATION by default)
**NOTE: You can also reach this window by launching Dynamics GP Utilities, then from the Additional Tasks window, selecting the ‘Manage User Authentication’ and clicking Process.
Web Client Installation
---During the Dynamics GP Web Components installation there are a few unique windows you will need to address if you’re using Organizational Accounts.
Authentication Type window
---The Authentication Type window is displayed during the installation of the Web Client. It is used for entering in information on the Azure Active Directory Domain and the application that was created and configured.
If you choose the Organizational Account Authentication Type uses will only be able to log in with Azure AD accounts. You can choose the Mixed Mode option if you are going to be deploying a multi-tenant Web Client environment where some tenant GP clients will be setup to use Windows Accounts and other tenants who use the same GP Web Client install have their clients set to Organizational Accounts.
For the Client ID, enter in the Application (Client) ID (e.g. 43353566-3291-48d3-8b55-363587892a27) from the app registration that was created in the previous section.
For the Application Key, enter in the Value value copied previously from the Certificates and Secrets section (e.g. 4667Q~tqFvSRbdI4yebNCcd42Cp3VY~y3nMfV) that was created when we created the Client Secret above.
For the Azure AD Domain Name, enter in the name of the Azure AD Domain. An example of this would be contoso.onmicrosoft.com.
For the App ID URI field, use the same Azure AD domain name, in the Web Client URL, so that it looks like this: https://MyADDomainName.onmicrosoft.com/GP
Click Next, and if everything is correct, the installation will continue.
Workflow System Access window
This window is asking for the domain user or domain security group that is running the SQL Server (MSSQLSERVER) Service on your Dynamics GP instance. This should typically be a domain account in order to accommodate Workflow and domain lookup functionality.
For the Windows User Group window, enter the domain user or group for the local domain, not the Azure domain and click Next.
Runtime Process Account window
This window comes right after the Web Client security group window. The purpose of this window is to set the identity that will be used to start the runtime process when a user logs in with an Organizational Account since that account will not have local rights to the Web Client server.
For this window, enter in the domain, user and password for the account that will start the Runtime Process for Web Client users utilizing their Organizational Account. This account must be part of your Web Client Users domain security group or it will not have rights to access the runtime endpoint URL.
***Please note that you will not see this window if you previously chose the multi-tenant installation option in the GP Web Components installation process. If you’re using Dynamics GP Web Client along with Tenant Services in a multi-tenant deployment, you’ll need to specify this Runtime Process Account in the tenant setting in Web Management Console’s Tenant Manager snap-in.
You will then need to add your onmicrosoft.com account(s) to the Tenant Users window in the new tenant you’ve created.
Enabling users
The Administrator of the Azure Active Directory needs to run through a process to allow the application to be registered in their Azure Active Directory so that Dynamics GP Users can be assigned to them.
To facilitate this, a special URL is used. It is the same URL used to launch the Web Client, but an additional /tenant is added. Here is an example:
https://Server.Domain.com:PortNumber/GP/Tenant
NOTE: You’ll want to use an Incognito/InPrivate browser in order to receive the necessary login prompt on this window so you can log in with your onmicrosoft.com account rather than automatically logging into the site as the domain account you’re logged into the machine as.
***The Azure AD account you use here, must be a member of the Global Administrator group in Azure, under your Azure Active Directory, otherwise it’ll prompt you to Send a request to your admin for permissions.***
The following page is then displayed:
Click Sign Up and sign in as Administrator for your Azure Active Directory and Grant Access window will appear. On this window, the only action will be to review the information listed and click the Grant Access button.
Once granted, this step in the process is completed and you can click Sign In on the following window:
If you selected Mixed Mode during the Web Components Authentication Type you will see the following when you log in:
If your Dynamics GP client is setup for the Organizational Account Authentication Type you will want to select that option and enter your credentials from Azure AD when prompted.
Dynamics GP User Setup
The mapping of a GP user to an Organizational Account can only occur from within a Web Client session. When you access the Web Client for the first time, the following will be displayed:
You will have to use SQL authentication (e.g. the 'sa' account) for the first login process since no GP users have been associated with Organizational Accounts yet.
Once in Dynamics GP, using the User Setup window to map an Organizational Account to a Dynamics GP user, just like a Windows Account can be mapped to a Dynamics GP User.
After setting up this new user’s company access and security you can then log out of the Web Client and log back in again. You should be automatically logged in as that user.
New users can be added in the Office 365 Admin Portal and they will roll down to the Azure AD directory. They will then need to be tied to new users in Dynamics GP.
Once you've configured your users in Dynamics GP you can then proceed to assign those Azure Active Directory users as Workflow Managers and Workflow Approvers in the Workflow Maintenance window. The user lookup windows are now able to resolve AAD Organization Accounts as of the 2018 July hotfix for Dynamics GP 2018 and later.
*This post is locked for comments