post-installation-configuration-guidelines-dynamics-365.md

title	description	ms.custom	ms.date	ms.reviewer	ms.suite	ms.tgt_pltfrm	ms.topic	applies_to	ms.assetid	caps.latest.revision	author	ms.author
Post-installation and configuration guidelines for Dynamics 365 Customer Engagement (on-premises) | Microsoft Docs	Understand the configuration needed after you install Dynamics 365 Customer Engagement (on-premises)		11/28/2023				article	Dynamics 365 (on-premises)	6f6a7fc0-f9cf-4602-bd6c-4b4924185644	61	Mattp123	matp

Post-installation and configuration guidelines for Microsoft Dynamics 365

This section describes several of the tasks that the [!INCLUDEpn_microsoftcrm] administrator should consider after the [!INCLUDEpn_microsoftcrm_server] application is installed. This section isn’t meant to be an exhaustive resource used to configure deployments. Instead, use this section as a guideline to determine what best practices to implement and features to configure, based on your organization's needs.

Copy your organization encryption key

All new and upgraded organizations use data encryption that uses an encryption key to secure data such as user passwords for email mailboxes and [!INCLUDEpn_yammer] accounts. This encryption key may be required to use [!INCLUDEpn_microsoftcrm] after a redeployment or failure recovery. We strongly recommend that you make a copy of the encryption key and save it to a secure location. [!INCLUDEproc_more_information]Copy your organization data encryption key

Make Dynamics 365 client-to-server network communications more secure

With any network design, it is important to consider the security of your organization's client-to-server communications. When making necessary decisions that can help protect data, we recommend that you understand the following information about [!INCLUDEpn_microsoftcrm] network communication and about the technology options that are available that provide more secure data transmissions.

If you installed [!INCLUDEpn_microsoftcrm] or upgraded a [!INCLUDEpn_microsoftcrm_server] that isn’t already configured for HTTPS, [!INCLUDEpn_microsoftcrm] client-to-server communications are not encrypted. When using a website that supports only HTTP, information from [!INCLUDEpn_crm_shortest] clients is transmitted in clear text and, therefore, possibly vulnerable to malicious intent, such as "man-in-the-middle" type attacks that could compromise content by adding scripts to perform harmful actions.

Configuring Dynamics 365 for HTTPS

Configuring a site for HTTPS will cause a disruption in the [!INCLUDEpn_microsoftcrm] application so plan the configuration when there will be minimal disruption to users. The high-level steps for configuring [!INCLUDEpn_microsoftcrm] for HTTPS are as follows:

1. In [!INCLUDEpn_Deployment_Manager_long], disable the server where the [!INCLUDEpn_Web_Application_Server], [!INCLUDEpn_Organization_Web_Service], [!INCLUDEpn_Discovery_Web_Service], and [!INCLUDEpn_Deployment_Web_Service] roles are running. If this is a Full Server deployment, all server roles are running on the same computer. For information about how to disable a server, see [!INCLUDEpn_microsoftcrm][!INCLUDEpn_Deployment_Manager_Help].

2. Configure the website where the [!INCLUDEpn_Web_Application_Server] role is installed to use HTTPS. For more information about how to do this, see Internet Information Services (IIS) Help.

3. Set the binding in [!INCLUDEpn_deploymentmanager]. This is done on the Web Address tab of the Properties page for the deployment. For more information about how change the bindings see Microsoft Dynamics 365 deployment properties.

4. If you want to make other [!INCLUDEpn_crm_shortest] services more secure and [!INCLUDEpn_microsoftcrm] is installed by using separate server roles, repeat the previous steps for the additional server roles.

Configure a Dynamics 365 Internet-facing deployment

After all [!INCLUDEpn_microsoftcrm_server] roles are installed, you can configure the deployment so that remote users can connect to the application through the Internet. To do this, start [!INCLUDEcc_Rule_Deployment_manager_short] and complete the [!INCLUDEpn_Configure_Claims-based_Wizard] followed by the [!INCLUDEpn_Internet_Facing_Deployment_Configuration_Wizard]. Alternatively, you can complete these tasks using [!INCLUDEpn_PowerShell]. More information: Overview of Dynamics 365 Customer Engagement (on-premises) PowerShell

Important

For [!INCLUDEpn_moca_full] to successfully connect to a new deployment of [!INCLUDEpn_microsoftcrm_server], you must run a Repair of the [!INCLUDEpn_microsoftcrm_server] application on the server running [!INCLUDEpn_iis] where the [!INCLUDEpn_Web_Application_Server] role is installed after the [!INCLUDEpn_Internet_Facing_Deployment_Configuration_Wizard] is successfully completed.

Add or remove sample data

Sample data is available to help you become familiar with how [!INCLUDEpn_microsoftcrm] works. By using sample data, work with records and see how they relate to each other, how data displays in charts, and see what information is in reports.

Sample data can be added or removed from within the [!INCLUDEpn_crm_shortest] application. [!INCLUDEproc_more_information]Add or remove sample data

Complete the configuration tasks for new organizations

After you've completed installing [!INCLUDEpn_microsoftcrm], but before the business users in your organization start using it, there are some basic tasks that you, as the [!INCLUDEpn_crm_shortest] administrator, should complete. These tasks include defining business units and security roles, adding users, and importing data.

[!INCLUDEproc_more_information] Set up a Dynamics 365 organization

Import apps and solutions

Sales and Field Service apps are available to you. More information: Available apps for Dynamics 365 Customer Engagement (on-premises)

Use solutions to extend functionality and the user interface. Customizers and developers distribute their work as solutions. Organizations use [!INCLUDEpn_microsoftcrm] to import the solution. Find a solution in the Microsoft AppSource.

Important

Importing a solution or publishing customizations can interfere with normal system operation. We recommend that you schedule solution imports when it’s least disruptive to users.

For more information about how to import a solution, see Import, update, and export a solution.

Configure Windows Server for Dynamics 365 Customer Engagement (on-premises) applications that use OAuth

The following information describes how to configure Windows Server with AD FS to support [!INCLUDEpn_crm_shortest] applications such as [!INCLUDEpn_Mobile_Express_short], [!INCLUDEpn_moca_full], [!INCLUDEpn_crm_for_outlook_short], [!INCLUDEpn_netbreeze_long], or other [!INCLUDEpn_dynamics_crm] applications that need OAuth support.

Enable forms authentication

By default, forms authentication is disabled in the intranet zone. You must enable forms authentication by following these steps:

1. Log on to the [!INCLUDEpn_adfs_short] server as an administrator.

2. Open the ADFS management wizard.

3. Select Authentication Policies > Primary Authentication > Global Settings > Authentication Methods > Edit.

4. Select (check) Form Based Authentication on the Intranet tab.

Configure the OAuth provider

Follow these steps to configure the OAuth provider in [!INCLUDEpn_microsoftcrm]:

1. Log on to the [!INCLUDEpn_microsoftcrm] server as an administrator.

2. Add the [!INCLUDEpn_crm_shortest][!INCLUDEpn_PowerShell] snap-in (Microsoft.Crm.PowerShell.dll). [!INCLUDEproc_more_information] Administer the deployment using Windows PowerShell

   Add-PSSnapin Microsoft.Crm.PowerShell  

3. Enter the following [!INCLUDEpn_PowerShell] commands.

   $ClaimsSettings = Get-CrmSetting -SettingType OAuthClaimsSettings  
   $ClaimsSettings.Enabled = $true  
   Set-CrmSetting -Setting $ClaimsSettings  
   

Register the client apps

The client apps must be registered with [!INCLUDEpn_adfs_short].

1. Log on to the [!INCLUDEpn_adfs_short] server as administrator.

2. In a [!INCLUDEpn_PowerShell_short] window, execute the following commands to register each application that is applicable to your deployment.

   [!INCLUDEpn_crm_2016_shortest] mobile apps for [!INCLUDEtn_Apple_iphone], [!INCLUDEtn_android], and [!INCLUDEpn_ms_Windows_short].

   Add-AdfsClient -ClientId ce9f9f18-dd0c-473e-b9b2-47812435e20d -Name "Microsoft Dynamics CRM for tablets and phones" -RedirectUri ms-app://s-1-15-2-2572088110-3042588940-2540752943-3284303419-1153817965-2476348055-1136196650/, ms-app://s-1-15-2-1485522525-4007745683-1678507804-3543888355-3439506781-4236676907-2823480090/, ms-app://s-1-15-2-3781685839-595683736-4186486933-3776895550-3781372410-1732083807-672102751/, ms-app://s-1-15-2-3389625500-1882683294-3356428533-41441597-3367762655-213450099-2845559172/, ms-auth-dynamicsxrm://com.microsoft.dynamics,ms-auth-dynamicsxrm://com.microsoft.dynamics.iphone.moca,ms-auth-dynamicsxrm://com.microsoft.dynamics.ipad.good,msauth://code/ms-auth-dynamicsxrm%3A%2F%2Fcom.microsoft.dynamics,msauth://code/ms-auth-dynamicsxrm%3A%2F%2Fcom.microsoft.dynamics.iphone.moca,msauth://code/ms-auth-dynamicsxrm%3A%2F%2Fcom.microsoft.dynamics.ipad.good,msauth://com.microsoft.crm.crmtablet/v%2BXU%2FN%2FCMC1uRVXXA5ol43%2BT75s%3D,msauth://com.microsoft.crm.crmphone/v%2BXU%2FN%2FCMC1uRVXXA5ol43%2BT75s%3D, urn:ietf:wg:oauth:2.0:oob  

   [!INCLUDEpn_crm_2016_outlook_shortest].

   Add-AdfsClient -ClientId  2f29638c-34d4-4cf2-a16a-7caf612cee15  -Name "Dynamics CRM Outlook Client" -RedirectUri app://6BC88131-F2F5-4C86-90E1-3B710C5E308C/  

   [!INCLUDEpn_unified_service_desk] client.

   Add-AdfsClient -ClientId  4906f920-9f94-4f14-98aa-8456dd5f78a8  -Name "Dynamics 365 Unified Service Desk" -RedirectUri app://41889de4-3fe1-41ab-bcff-d6f0a6900264/  

   [!INCLUDEpn_microsoftcrm] developer tools.

   Add-AdfsClient -ClientId  2ad88395-b77d-4561-9441-d0e40824f9bc  -Name "Dynamics 365 Development Tools" -RedirectUri app://5d3e90d6-aa8e-48a8-8f2c-58b45cc67315/  

3. To register the [!INCLUDEpn_crm_app_for_outlook_short], in [!INCLUDEpn_crm_op_edition], go to Settings > Dynamics 365 App for Outlook and register the app there.

Required steps after enabling OAuth for Dynamics 365 Server

When OAuth is enabled, and you have registered your applications, it's required to complete the following steps:

Remove site authentication providers

1. On the Dynamics 365 Server where the web application server role is running, open Internet Information Services (IIS) Manager.

2. In the left pane, under the organization name, expand Sites, and then select Microsoft Dynamics CRM.

3. Double-click Authentication in the middle pane.

4. Right-click Windows Authentication, and select Providers. For each provider in the list, select the provider, select Remove, and then select OK.

5. After all providers are removed, right-click Windows Authentication, and then select Disable.

   

6. Repeat the previous steps to remove all Windows Authentication providers from the nga and AppWebServices site folders.

Add the AD FS address to the client local intranet zone to avoid client authentication prompts

1. On the client computer, select Start, enter inetcpl.cpl, and select Enter to open Internet Properties.
2. Select the Security tab, select the Local intranet zone, select Sites, and then select Advanced.
3. Enter in the AD FS address, select Add, select Close, select OK, and then select OK again.

Grant application permission

On the AD FS server, run the following command in a Windows PowerShell console. This is required if you use Windows Server 2016 AD FS or later versions.

Grant-AdfsApplicationPermission -ClientRoleIdentifier "<client_id/org_id>" -ServerRoleIdentifier "<org_auth_url>"

Important

Make sure org_auth_url is complete and accurate URL. Also, you must include the trailing forward slash /.
For example:

Grant-AdfsApplicationPermission -ClientRoleIdentifier "806e5da7-0600-e611-80bf-6c3be5b27d7a" -ServerRoleIdentifier https://auth.contoso.com:444/ 

To display the authentication URL, run this PowerShell command:

 Get-ADFSRelyingPartyTrust 

Restart AD FS

On the AD FS server, run the following PowerShell commands to force AD FS to restart.

net stop adfssrv 
net start adfssrv

Enable Device Registration Service (DRS) on the federation server

To make sure that devices can connect to your deployment, follow the instructions in this topic: Configure a federation server with Device Registration Service.

Request custom certificates using the Certificates MMC snap-in

This section explains how to generate a custom certificate request (CSR) that can be used to obtain an SSL certificate for Microsoft Dynamics 365 Customer Engagement on-premises.

Important

For claim-based authentication and the internet-facing deployment to work, it's mandatory that the steps below are completed.

1. Sign in to any Windows computer with an account that is a member of the local Administrators group.
2. Select Start, type mmc.exe, and then press ENTER.
3. Select File on the command bar, and then select Add/Remove Snap-in.
4. In the list of available snap-ins, select Certificates, and then select Add.
5. Select Computer account, and then select Next.
6. Select Local computer, select Finish, and then select OK.

After you have added the Certificates snap-in for your local computer store open, create a custom certificate request.

1. In the MMC console tree, expand Certificates (Local Computer).

2. Right-click Personal, point to All Tasks, point to Advanced Operations, and then select Create Custom Request.

3. The Certificate Enrollment wizard opens. Select Next.

4. On the Select Certificate Enrollment Policy page select Proceed without enrollment policy under Custom Request, and then select Next.

5. On the Custom Request page next to the Template options select (No template) Legacy key and select the PKCS #10 request format option, and then select Next. :::image type="content" source="media/cert-custom-request.png" alt-text="Select options to create the custom certificate request":::

   [!IMPORTANT] CNG certificates aren't supported.

6. On the Certificate Information page expand Details, and then select Properties. :::image type="content" source="media/cert-properties.png" alt-text="Certificate properties":::

7. On the General tab, enter the Friendly name (display name), and then select Apply.

8. Select the Subject tab, and add the relevant subject names and alternative names for the certificate. Some public certificate authorities require various subject values. More information: Certificate subject and alternative names examples

9. After you've added all relevant values select Apply.

10. Select the Extensions tab.

    1. Expand Key Usage and then Add Data encipherment, Digital signature, and Key encipherment as the Selected options.
    2. Expand Extended Key Usage (application policies) and then Add Server Authentication and Client Authentication as the Selected options.
    3. Select Apply.

11. Select the Private Key tab.

    1. Expand Cryptographic Servicer Provider and then select Microsoft RSA Schannel Cryptographic Provider (Encryption)
    2. Expand Key options then set Key size to 2048 (or higher) and select the Make private key exportable option.
    3. Expand Key type and then select Exchange.
    4. Select Apply. :::image type="content" source="media/cert-properties2.png" alt-text="Certificated properties for key type":::

12. Review all tabs to make sure all required options are selected or entered. After verification select OK.

13. The Certificate Enrollment page is displayed. Select Next.

14. On the Where do you want to save the offline request page, enter the full path to save the request file and ensure that File format is set to Base 64. Select Finish.

Now you will have a CSR in BASE 64 format, which you can forward to an external or internal certificate authority for signing.

Important

There's no private key included. This avoids any compromise of the private key when transferring to a Certificate Authority.

Your provider will provide a signed version of the certificate including the private key and the payload. That certificate you receive must be imported back on the same machine where you created the certificate request.

Import and then export the received certificate

Import the certificate into the local certificate store (Personal) and the request will automatically be completed. Doing so merges the private and public key. From the Certificates MMC snap-in right-click the Certificates folder in the Personal folder, point to All Tasks, and then select Import. Browse to and select the certificate and follow the steps in the Certificate Import Wizard to import it.

Finally, you export the certificate.

1. In the Certificates MMC snap-in, right-click the certificate, point to All Tasks, and then select Export.
2. On the Certificate Export Wizard select Next, and then select Yes, export the private key. Select Next.
3. On the Export File Format page, leave all the default settings, and then select Next. :::image type="content" source="media/cert-export-format.png" alt-text="Certificate export format":::
4. On the Security page select Password.
   1. Enter a password that will be your private key. Ensure to save that information in a secure place.
   2. Select Encryption as AES256-SHA256.
   3. Select Next.
5. Enter the folder path where you want to save the certificate, that will be saved in PFX format.
6. Select Next and then select Finish.

Now you can use the PFX certificate for Dynamics 365 Customer Engagement (on-premises) and other applications such as AD FS as well.

Important

If your certificate authority doesn't accept legacy type certificate requests, ensure to match all requirements except the Cryptographic Service Provider (CSP). You can run the below Certutil.exe in an elevated command shell to reimport the PFX with the required provider.

certutil -csp "Microsoft RSA SChannel Cryptographic Provider" -importpfx <drive><name of cert>.pfx AT_KEYEXCHANGE

Certificate subject and alternative names examples

Subject name examples.

Type	Value entered	Subject name
Country	DE	C=DE
Locality	Munich	L=Munich
Organization	Contoso Ltd	O=Contoso Ltd
Organizational unit	IT	OU=IT
State	Bavaria	S=Bavaria
Common name	*.contoso.com1	CN=*.contoso.com1

¹Uses wildcard. A wildcard certificate is recommended as it covers all DNS values created for the domain.

:::image type="content" source="media/cert-subject-names.png" alt-text="Certificate subject name examples":::

For the subject alternative names (SAN) ensure to cover all DNS values you require. For example, alternative name DNS type values for the fictional company named Contoso might be: auth.contoso.com, dev.contoso.com, internalcrm.contoso.com, adfs.contoso.com, crmorg1.contoso.com, crmorg2.contoso.com, and so on.

:::image type="content" source="media/cert-alt-names.png" alt-text="Certificate subject alternative name examples":::

Configure databases for SQL Server AlwaysOn

Although the article referenced below applies to an earlier version of Dynamics 365 Customer Engagement (on-premises), you can use similar steps to configure the Dynamics 365 Customer Engagement (on-premises), version 9 organization and configuration databases for SQL Server AlwaysOn.

Important

The final tasks under step 4 in the below article link that describe how to Create the MSCRMSqlClrLogin SQL Login under Create the SQL logins for the Microsoft Dynamics 365 security groups on all secondary replicas are not applicable to this version and should be ignored when configuring Dynamics 365 Customer Engagement (on-premises), version 9 databases to use SQL Server AlwaysOn.
MSCRMSqlClrLogin SQL login, the asymmetric key for it, and Microsoft.Crm.SqlClr.Helper.dll aren’t required with Dynamics 365 Customer Engagement (on-premises), version 9.

More information: Set configuration and organization databases for SQL Server AlwaysOn failover

User training and adoption

[!INCLUDEproc_more_information] Training and Adoption Kit for Microsoft Dynamics 365

See also

Installing on-premises Dynamics 365
Operating Microsoft Dynamics 365

[!INCLUDEfooter-include]