Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Dynamics 365 Community / Forums / Customer experience | Sales, Customer Insights,... / CrmServiceClient Conne...
Customer experience | Sales, Customer Insights,...
Suggested answer

CrmServiceClient Connectionstring or certificate authentication security

(0) ShareShare
ReportReport
Posted on by Mike Sowerbutts 5

I am writing a publicly available middleware web application to enable our application to communicate with Dynamics 365 to read and write data (i.e. Opportunities etc.)

Currently, i have implemented certificate based authentication, where the certificate is stored within the Azure App Service, the Certificate Thumbprint is stored within the app service's app settings and the Dynamics 365 instance url is provided via a JavaScript call to:

var globalContext = Xrm.Utility.getGlobalContext();
var url = globalContext.getClientUrl();

from some JavaScript in a Dynamics Web Resource that acts as an entry point to our application from within Dynamics (from a button click, the WebResource code is executed, which then does a window.open to the url of our application with some query string parameters generated via the Web Resource's JavaScript code)

I instantiate a new CrmServiceClient like this:

serviceClient = new CrmServiceClient(null, StoreName.My, KeyVaultConfig.CertificateThumbprint, new Uri(instanceUrl), true, null, KeyVaultConfig.RegisteredAppClientId, null, null);

The serviceClient.OrganizationServiceProxy is then cast as an IOrganizationService which is then used throughout the rest of the application to read and write data to Dynamics 365.

This all works fine, but i am very concerned about a security issue, if a hacker gets the URL to our application, with the appropriate querystring paramaters (i.e. the organisation's dynamics 365 instance url) they effectively have access to the Dynamics 365 instance via our application, because there are no other authentication checks carried out.

In other CRM integrations (i.e. Salesforce.com) we use the current SessionId of the user to pass to our application which has an expiry period, meaning if a hacker managed to get the URL, their access would expire soon after. This is not the case with Dynamics 365.

Does anyone have any suggestions I can implement to make this more secure? I dont want to add in an additional username/password prompt screen to the application every time it is accessed from within Dynamics 365 as this will put people off using it.

  • Jean Joel Kakou Profile Picture
    Jean Joel Kakou on at
    RE: CrmServiceClient Connectionstring or certificate authentication security

    One question that I have is how you will provide access to your customer?

    May be this will help you:  docs.microsoft.com/.../conditional-access

    if the authentication happens for the B2B guest user when requests access to a resource. The resource redirects the user to its resource tenant, a trusted IdP.

    It is important to understand the goal to provide more guidance.

  • Mike Sowerbutts Profile Picture
    Mike Sowerbutts 5 on at
    RE: CrmServiceClient Connectionstring or certificate authentication security

    Hey - thanks. But can this be applied accross different activie directories? 

    I.e. the App Registration is accessible outside my company's AD. We sell licences to customers who have their own AD etc.

    What youre suggesting looks good, but i guess its only possible to manage within our own AD?

  • Suggested answer
    Jean Joel Kakou Profile Picture
    Jean Joel Kakou on at
    RE: CrmServiceClient Connectionstring or certificate authentication security

    Hello Mike,

    You should add some additional condition access to the service for the group of user that will connect to the application:

    -Create a Conditional Access policy to block access to the Common Data Service

    it should be assigned to a group of users  - docs.microsoft.com/.../concept-conditional-access-users-groups

    In cloud apps, select Common Data Service (this is the main resource for Dynamics Apps) - docs.microsoft.com/.../concept-conditional-access-cloud-apps

    set the application to Block access - docs.microsoft.com/.../howto-conditional-access-policy-block-access

    this configuration will block the access of the group of users that are trying to access Common Data Service

    docs.microsoft.com/.../concept-conditional-access-cloud-apps

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

December Spotlight Star - Muhammad Affan

Congratulations to a top community star!

Top 10 leaders for November!

Congratulations to our November super stars!

Tips for Writing Effective Suggested Answers

Best practices for providing successful forum answers ✍️

Leaderboard

#1
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 291,280 Super User 2024 Season 2

#2
Martin Dráb Profile Picture

Martin Dráb 230,235 Most Valuable Professional

#3
nmaenpaa Profile Picture

nmaenpaa 101,156

Leaderboard

Featured topics

Product updates

Dynamics 365 release plans