As I revised for the MB2-715 exam (Microsoft Dynamics 365 Customer Engagement Online Deployment) I am creating blog posts detailing all aspects of my revision. I hope these posts will aid anyone who is also revising for this exam. In this posts I will review managing users.
I often like to consider the skills measured statements before I consider each topic. If you read all the MB2-715 skills measured statements you will only find the term “user” included once! It is shown below. But even so, the management of users remains an important topic.
Adding Users to Office 365
Dynamics 365 users are added / managed in Office 365. Although security roles and some additional information are added from the Dynamics 365 web interface.
To add a new user, go to Office 365 admin where you can create accounts and assign a Dynamics 365 license.
Below you can see that after clicking add user a dialog opens that lets me enter their name and give them a user name.
Next you can optionally add contact information. In a test environment you may commonly skip this stage but often in a production environment this information has significance. For example, if you are using the Field Service module then the address entered here can be used when routing the user to a job. It is important to know that this information can only be amended in Office 365. In the user administration in Dynamics 365 these details will be read-only.
When a user is first created you have several options regarding passwords. Including an auto-generate option. You can also decide if the user must change the password when they first login.
It is also possible to allocate a password to a user and force them to change when they first login.
Next we assign a role to the user. This role should not be confused with the Dynamics 365 security role that we will discuss in a second! This is their role with Office 365, from a Dynamics 365 point of view most people will have a role of “user”. When your Dynamics 365 instance is created the Office 365 Global administrator will be assigned the system administrator role in Dynamics 365. You may need to assign additional Dynamics 365 administrators and if you need them to also administer users then you would also set them as a global administrator.
Note: It is possible for a Dynamics 365 user to be a system administrator without being a global admin in Office 365. If you do this you should be aware that whilst they can administer Dynamics 365 they cannot maintain users. This includes not being able to test and approve mailboxes in CRM.
You may wish to grant specific administrator privileges without granting full Global Administrator access. To do this select the “Customized administrator” option. You will then be allowed to select one or more administration roles. Such as “Password administrator”, “Billing administrator” etc.
Next we assign one or more product licenses to the user. And when assigning the Dynamics 365 license you may have some options connected with add-on products. Notice that you could also create the user without assigning a license.
Having entered all of the details we click add, after a short pause the user will be become available in Dynamics 365. Notice that after creating the user we can opt to send them a notification email if required.
Maintaining any of the details regarding the user is done from the “edit a user” option. A list of users will be presented and when you have selected the required user you can edit the settings as shown above. The layout differs slightly from the screens used when adding a user but essentially the options are the same.
Assign Security Roles in Dynamics 365
Having added the user to Office 365 and assigned a license they will exist in Dynamics 365. BUT at this stage they will not yet be able to access Dynamics 365. This is because they need to be assigned a security role in Dynamics 365. All users will be created without a role in this way. With the exception of your Global Admin when the Dynamics 365 instance is first created, as they will be granted the System Administrator role in Dynamics 365 by default.
To assign a role in Dynamics 365 you load Dynamics 365 (as a Dynamics 365 system administrator) go to settings and select the security option.
We can then select the “Users” option to administer any additional options and assign a security group.
If when you first go into this option, your new user doesn’t exist give it a few seconds and click refresh. Users normally appear in Dynamics 365 quickly but not instantly after they have been added in Office 365!
The user record in Dynamics 365 will look like this. Notice that several fields are read-only. These will be details that you defined in Office 365 and will need to change their values in there. But other fields are specific to Dynamics 365, for example you can define a site, territory and manager. Plus, importantly you can set a user’s business unit. The business unit will have defaulted to your root business unit but if you have multiple business units defined your first task might be to assign the user to the correct one. (FYI: Business units are significant as combined with the Dynamics 365 security roles(s) they govern what records a user can see / maintain.)
We can now use the manage roles option to allow the addition of one or more security roles to the user. Once completed the user will be able to access Dynamics 365.
Enable / Disable Users
In Dynamics 365 on premise enabling and disabling users is performed in the web application. But with Dynamics 365 online we use the Office 365 admin portal.
When the user was created in Office 365 we assigned a Dynamics 365 license to the user, to disable the user all we do is remove the license from the user in Office 365.
After a short pause the user will become disabled in Dynamics 365, meaning they can no longer log into Dynamics 365. At this point it is worth considering what will happen to any records owned by the user! Well, these records will still show as being assigned to the disabled user. Meaning they will need to be reassigned to a new user. (If required.)
You can re-enable a user. When re-enabled they will have the same security role as previously assigned.
It is important to know that users are not and cannot be deleted from Dynamics 365. There is an option to delete a user in Office 365 but they will not delete the user in Dynamics 365!
Non-interactive users are a “special” type of user that does not interact with Dynamics 365 via any of the Dynamics 365 clients. These are useful for programmatically accessing, maybe for integration with an ERP system. (Such as Dynamics GP, NAV or AX.)
You can have a maximum of 5 non-interactive users.
Non-interactive users do not consume a license.
We change a user to be a non-interactive user within Dynamics 365, select the user and in the admin section change their access mode to “Non-interactive”. Other options include “Read-Write” (default) and “Administrative”.
NOTE: To setup a non-interactive user, you first create a user with a license. Then edit their access mode to be non-interactive. Then return to Office 365 and remove the license as it is no longer required.
User Account Synchronization
We have seen that users created in Office 365 and assigned an appropriate license are automatically synchronized with Dynamics 365. When this is happening users will be authenticated by Azure active directory. Meaning they will have a different set of login credentials when logging into Dynamics 365 than those they use for the corporate network. (As that will be working from a different active directory.) Maintaining two sets of credentials can be a large administration task and isn’t ideal for the users.!) This admin effort can be reduced by considering one of two options;
- Synchronizing active directory with Office 365.
- Active Directory Federation Services. (AD FS)
When simply synchronizing active directory with Office 365 the accounts are synchronized but not their passwords. When user log into their on-premise environment they use their “work account”, typically this will be in a domain\username format. If we synchronize AD with Office 365 the user will log into Office 365 services (including Dynamics 365 online) with the same work account. Except with a revised format of email@example.com. This synchronization process keeps the user details the same for on-premise and online environments. However, the users will have different passwords for the two environments.
You can create a federation (trust) between the internal active directory and Azure active directory. Establishing the trust between the organization’s internal active directory and Azure active directory means users can directly log into Office 365 (and therefore Dynamics 365) with their internal user credentials. Account administration is reduced and the user experience improved, as the users get to use the same user name and password.
This approach reduces administration and management workload for the administrators. The integration between the organization’s internal active directory and Azure active directory is achieved via Active Directory Federation Services. (Or AD FS) AD FS allows users to authenticate into their internal environment, rather than Azure active directory hosted in the Cloud.
When using active directory federation services like this the authentication token is passed from the local machine through to Azure active directory and the user will be seamlessly logged into Office 365.
FYI: Setting up account synchronizations and Single Sign On (SSO) can be detailed processes. You might need to consult other sources of information for full details!
I hope this post has helped you understand the basics of user management that you will need to know for the MB2-715 deployment exam. As always it is very important to get some hands-on practice with the product, these notes are just a guide!