Microsoft Dynamics NAV supports federated user authentication with Microsoft Azure Active Directory (Azure AD). This is the Identity Provider service that is used by Office 365. Every time a new Office 365 subscription is provisioned, the Azure AD tenant for this subscription is also created. Thus, when Microsoft Dynamics NAV is configured for federated authentication with an Azure AD tenant, a Single Sign-on (SSO) user experience is achieved between Microsoft Dynamics NAV and the Office 365 Web Applications or/and any other applications which use the Single Sign-on capability provided by the Azure AD tenant.

The Set-NavSingleSignOnWithOffice365 cmdlet also supports enabling Office 365 account authentication both for Microsoft Dynamics NAV Web client and for Microsoft Dynamics NAV Windows client. Office 365 authentication is described in this topic for both clients.

The Set-NavSingleSignOnWithOffice365 cmdlet can be used to perform the configuration task by automating all the steps of this process. The cmdlet performs the following operations:

If the configuration sub steps fail, the cmdlet reverts all of the changes in the sub steps made to the Microsoft Dynamics NAV Server and Microsoft Dynamics NAV Web Server components.

To follow this how-to, you will need:

To Import the NAVOffice365Administration Module

  1. Open Windows PowerShell as administrator, by right-clicking the program and selecting Run as administrator.

  2. Navigate to your Microsoft Dynamics NAV DVD, and then to the WindowsPowerShellScripts\NAVOffice365Administration folder.

  3. Run the following cmdlet in order to import the NAVOffice365Administration PowerShell module: Import-Module .\NAVOffice365Administration.psm1.

When you have imported the NAVOffice365Administration module, you can now run the Set-NavSingleSignOnWithOffice365 cmdlet on the computer that hosts the Microsoft Dynamics NAV components with the relevant parameters set.

To Automate the Single Sign-on Configuration in a One-Computer Microsoft Dynamics NAV Environment

  1. In Windows PowerShell, at the prompt, enter Set-NavSingleSignOnWithOffice365 -NavServerInstance “ServerInstanceName” -NavWebServerInstanceName “WebServerInstanceName” -NavUser “YourNavUser” -AuthenticationEmail “YourOffice365Email” -NavServerCertificateThumbprint “SecurityCertificateThumbprint”. See the table below for a description of parameters.

    Parameter Name Description

    ServerInstanceName

    Specifies the name of your Microsoft Dynamics NAV Server instance. To find the names for the Microsoft Dynamics NAV Server instances, run the Get-NAVServerInstance cmdlet

    WebServerInstanceName

    Specifies the name of your Microsoft Dynamics NAV Server instance. To find the names for the Microsoft Dynamics NAV Web client instances running in your IIS, run the Get-NAVWebServerInstance cmdlet.

    YourNavUser

    Specifies the name of your Microsoft Dynamics NAV user account. YourNavUser links the Microsoft Dynamics NAV user account to your Office 365 account by providing your Office 365 email address as the AuthenticationEmail for the provided Microsoft Dynamics NAV user account. This parameter is optional.

    YourOffice365Email

    Specifies the email address of your Office 365 user account. The syntax is username@o365tenant.onmicrosoft.com. This parameter is optional.

    Important
    This user must have administrative permissions, such as the Global Administrator role. If you create a custom administrator role for this account, the account must have permission to create service principals in Azure. For more information, see Assigning admin roles.

    SecurityCertificateThumbprint

    Specifies the thumbprint for the security certificate that was used for securing the client-server communication channel. Get the list of thumbprints for your certificates by issuing this Windows PowerShell command: Get-ChildItem -Path "Cert:\LocalMachine\My"

    Note
    You can avoid providing this parameter if you already have your Microsoft Dynamics NAV Server configured to use a security certificate. This applies to Microsoft Dynamics NAV installations in the Azure environment, and other environments where any credential type other than Windows is active and functional.

  2. When the Set-NavSingleSignOnWithOffice365 cmdlet is run, a dialog box will open, requesting your Office 365 account user name and password.

Automating the Single Sign-on Configuration in a Multi-Computer Microsoft Dynamics NAV Environment

This configuration type assumes that your Microsoft Dynamics NAV Server and Microsoft Dynamics NAV Web Server components are on different computers. This means that you have to run the Set-NavSingleSignOnWithOffice365 cmdlet on each of these computers separately with a different parameter set in order to correctly configure your Microsoft Dynamics NAV Web client for single sign-on with Office 365.

To automate single sign-on configuration in a multi-computer Microsoft Dynamics NAV environment

  1. Run the Set-NavSingleSignOnWithOffice365 cmdlet on the Microsoft Dynamics NAV Server computer.

  2. To configure your Microsoft Dynamics NAV Server for single sign-on, you have to run the cmdlet with the following parameter set:

     Copy Code
    Set-NavSingleSignOnWithOffice365 -NavServerInstance “ServerInstanceName” -NavUser “YourNavUser” -NavServerCertificateThumbprint “SecurityCertificateThumbprint” -SkipWebServerConfiguration -SkipWinClientConfiguration
    
    Note
    The SkipWebServerConfiguration switch specifies that the Microsoft Dynamics NAV Web client configuration should not be generated.

  3. Run the Set-NavSingleSignOnWithOffice365 cmdlet on the Microsoft Dynamics NAV Web Server components computer

  4. To configure your Microsoft Dynamics NAV Web Server components for single sign-on, you have to run the cmdlet with the following parameter set:

     Copy Code
    Set-NavSingleSignOnWithOffice365 -NavWebServerInstanceName “WebServerInstanceName” -AuthenticationEmail “YourOffice365Email” -SkipNavServerConfiguration -SkipWinClientConfiguration
    Note
    The SkipNavServerConfiguration switch specifies that the Microsoft Dynamics NAV Web client configuration should not be generated.

To Enable Office 365 Account Authentication for Microsoft Dynamics NAV Windows client

The Set-NavSingleSignOnWithOffice365 can be also used to perform most of the configuration steps necessary for enabling user authentication with Office 365 accounts for Microsoft Dynamics NAV Windows client. The example in this section only configures the Microsoft Dynamics NAV Service and the Azure AD tenant in order to enable Office 365 authentication for the Microsoft Dynamics NAV Windows client.

 Copy Code
$result = Set-NavSingleSignOnWithOffice365 -AuthenticationEmail “YourOffice365Email” -SkipNavWebServerConfiguration -SkipNavServerConfiguration
Note
The SkipNavWebServerConfiguration switch specifies that the Microsoft Dynamics NAV Server should not be configured. The SkipNavServerConfiguration switch specifies that the Microsoft Dynamics NAV Web Server components should not be configured.

Because this cmdlet is usually run on the computer that is hosting the Microsoft Dynamics NAV service, the value returned by the cmdlet, which in this case is the sign-in page, must be copied and pasted in the ACSUri setting from the ClientUserSettings.config file.

Important
When setting ACSUri in the ClientUserSettings.config file, make sure that the ClientServicesCredentialType is set to AccessControlService.

Adjusting the Client User Settings

To make sure that the account authentication for the Microsoft Dynamics NAV Windows client works correctly, the ClientUserSettings.Config file needs two settings to be of a specific type. The default location for the ClientUserSettings.Config file is C:\Users\<username>\AppData\Roaming\Microsoft\Microsoft Dynamics NAV\90. For more information, see Configuring the Windows Client.

The ClientServicesCredentialType must be set to AccessControlService.

Depending on the Security Certificate that you are using, you may also need to change the DnsIdentity setting. For more information, see How to: Implement Security Certificates in a Production Environment.

AcsUri should have the following format https://login.windows.net/<tenant>/wsfed?wa=wsignin1.0%26wtrealm=<realm>%26wreply=<reply>.

Note
The difference between configuring the Microsoft Dynamics NAV Web client and Microsoft Dynamics NAV Windows client for single sign-on with Office 365 is the addition of the wreply parameter in the URL. The Microsoft Dynamics NAV Web client automatically sets the wreply parameter to the web site login page, whereas the Microsoft Dynamics NAV Windows client requires that it is preconfigured.

Tip
Use the Set-NavSingleSignOnWithOffice365 PowerShell script to get the AcsUri for Azure AD by running the following statement:

Set-NavSingleSignOnWithOffice365 -SkipNavServerConfiguration -SkipWebServerConfiguration

To change the client user settings in a ClickOnce environment, see Deploying Microsoft Dynamics NAV Using ClickOnce.

See Also