The new CDS 2.0 in the April '18 Release (Part 3)

Introduction

In Part 1 of this series we have discussed the dramatic re-design of CDS 2.0 when compared to CDS 1.0.

In Part 2 we saw, with practical examples, the native link between CDS entities and Dynamics 365 CE entities and how any data modelling or data changes you do on one side is automatically available on the other without the need to configure any synchronizations.

In Part 3 I shall show the features around connections.

The Concept

Connections are the vital link between a Dynamics 365 FinOps environment and a CDS/CE environment and they also ensure security and authorisation principles are enforced end-to-end. Connections, as simple as they might appear to be, expose a very important concept that is to be understood by Data Integration architects. This concept is that the AzureAD user (and its associated tenant access and authorisations) that is selected while creating a connection to a Dynamics 365 FinOps environment or a Dynamics 365 CE environment is the user that will be used for the data plumbing you require and NOT the account you logged in to the PowerApps portal. The latter user account is, however, still important as it will manage the data integration projects, the scope of these projects and must have a PowerApps Plan 2 license in order to execute the integrations. This architecture is quite powerful as it gives you the possibilities to connect to multiple FinOps and CE tenants and manage the data-flows between them in a centralised manner from a single tenant. Of course, in many cases, the FinOps (ERP) and CE (CRM) instances will be on the same tenant as they belong to the same organization, but they don't have to! This might be tricky to understand the first time round but it make sense the more you think about it and it is quite powerful. I try to simplify the concept in the diagrams below.

The most common and simple scenario:

A more complex scenario:

Keep in mind that the second diagram is by no way implying that there is data flowing from Northwind Traders's data entities to Fabrikam's (or vice-versa). It is just showing that one tenant (Contoso) can be used to create and manage data flows between data stores on different tenants. Of course, you could still configure this to be the case if, for example, multiple companies within the group use different tenants for different implementations.

This model also enables CE multi-organization to FinOps multi-Legal Entity mapping scenarios which you might need (topic to be discussed in a future blog-post). Please also note that, at the time of writing, there is no way to import projects or project templates (you can export for GDPR purposes) so making user of this architecture across tenants can be quite powerful for some Partners and ISVs who want to manage various CDS work-loads across multiple tenants.

The Service Accounts

Keeping the above architecture in mind, In the most de-centralised scenario with one FinOps environment connected to one CE environment, you might have three accounts: the one with which you login to PowerApps, the one with which you connect to FinOps and the one with which you connect to CE. In most cases this would be one account. What is important to take note of is that it is more plausible to assign a service account to manage the Data Integrator Projects and to login to FinOps and CE rather than an account tied to a natural person. There are various reasons for this such as the fact that a natural user is usually forced to reset his/her password which might disrupt the integration and because, at the time of writing, projects and templates can either be private to a user or shared with the whole organization (it does not get more granular than that at the moment). This means that if a user manages multiple projects under his/her account in private mode and then leaves the company, you will have issues! On the other hand, if you share all the integration work with all users of the organization you might get unintended or malicious changes to these work-loads. 

My concluding suggestion about this topic would be to use service accounts which are shared only to a specific sub-set of people in the organization who are specifically working on data integration and to reset passwords manually on a periodic basis independently from the password-cycle process and account life-cycle of a specific real user.

Quick Walk-Through

Note: If you are trying any of the below or in future blog posts for the first time, I suggest you use demo tenants which are completely separate from the tent used officially by your business!

Step 1: Browse to https://web.powerapps.com. Login using the Office 365 account of your (demo) tenant. Ensure that this user has a PowerApps Plan 2 user license.

Step 2: Expand the Data tab and click on Connections

Step 3: Click new connection. You will be presented with a list of OOB connectors. Note that the connections are not for exclusive use of the CDS data integrator but can also be utiilised by MS Flow, PowerApps etc

Step 4: Use the Search bar to search for "Dynamics 365 for Operations" and ensure you login with a user who has SysAdmin rights to the Dynamics 365 FinOps instance you want to connect to. Note: At time of writing, Microsoft Dynamics 365 Business Central is not supported by the CDS Data Integrator Service but since the list also shows connections that can be utilised in MS Flow and PowerApps then it still appears in the lift.

Step 5: Click new connection again, this time to create a connection to Dynamics 365 CE. As pointed out in Step 3, the user you use to create the connection will determine what CE environment you will connect to and not the user you are logged in to the PowerApps Portal. 

Step 6: The two connections you created should have the status "connected". If this is the case, then you should be able to use them in the PowerApps admin portal: https://admin.powerapps.com as part of a connection set in the Data Integrator tab.  

Trouble-shooting connections

To ensure connections run smoothly ensure:

1. Data Integrator User has a PowerApps P2 license

2. FinOps connection user has, at least, the Data Management role access and access to the target/source entities

3. CE connection user has read/write access to the entities applicable to the synchronization scenario

4. CE is at least version 8.0

5. FinOps is at least PU12

6. Both FinOps and CE are in the cloud. At the moment you cannot make connections to on-prem environments so your Sandbox/Prod instances need to be OneBox/Multibox Azure-hosted environments. For FinOps Dev/Demo instances ensure the OneBox is hosted in Azure and not locally on your machine.

In this post we deep-dived into CDS connections. This makes integration scenarios from Microsoft Dynamics 365 for Finance and Operations (FinOps) and Customer Engagement (CE) flexible yet secure and in control. In the next blog post we shall dee-dive into more CDS features.

If you have any questions or comments about any of my posts or anything related to Microsoft Dynamics 365, do not hesitate to get in touch with me on mbonello@bluefort.com.mt