top of page

Walkthrough: Register a CRM app with Active Directory

I took this from the CRM 2015 SDK:

This walkthrough describes how to register an external rich desktop client or mobile application so that it can connect to and authenticate with the Microsoft Dynamics CRM server and access the web services. Once registered, an application can access the web services using HTTP requests through the server’s SOAP or OData endpoints. This walkthrough applies to both Microsoft Dynamics CRM 2015 and Microsoft Dynamics CRM Online 2015 Update.

For a Microsoft Dynamics CRM 2015 on-premises or Internet-facing deployment (IFD):

  1. Windows Server 2012 R2 with AD FS.

  2. You must have administrator access to the server hosting the Microsoft Dynamics CRM 2015 deployment services role and the AD FS server.

  3. The on-premises server must be configured to use claims authentication.

For a Microsoft Dynamics CRM Online deployment:

  1. The user must have a Microsoft Dynamics CRM Online system user account with administrator role for the Microsoft Office 365 subscription.

For either deployment type, you must know the redirect URI for your application. Instructions for finding that URI are provided in the section at the end of this topic named How to obtain the redirect URI.

App registration for CRM on-premises (IFD) App registration for CRM Online Obtain the redirect URI

Scenario: A customer or other person registers a custom application to access organization data on a CRM server provided by an ISV or Partner.

  1. Configures the CRM on-premises (IFD) server and AD FS server using Windows PowerShell commands that are provided later in this section.

  2. Provides the client ID and server address URL information to the customer.

  1. Configures the external application by entering the client ID and server address URL in the app as instructed.

To configure the CRM server to enable federated claims, follow these steps.

  1. Log on as administrator on the CRM server that hosts the deployment service role and open a Windows PowerShell command window.

  2. Add the CRM Windows PowerShell snap-in (Microsoft.Crm.PowerShell.dll). More information: Use PowerShell to Call the Deployment Web Service

Windows PowerShell

Add-PSSnapin Microsoft.Crm.PowerShell
  1. Enter the following Windows PowerShell commands.

Windows PowerShell

$ClaimsSettings = Get-CrmSetting -SettingType OAuthClaimsSettings
$ClaimsSettings.Enabled = $true
Set-CrmSetting -Setting $ClaimsSettings

To register the external application with AD FS, follow these steps.

  1. Log on to the AD FS server as administrator and open a Windows PowerShell command window.

  2. Enter the following command.

Windows PowerShell

Add-AdfsClient -ClientId  -Name  -RedirectUri 

Where is a unique number, is a name for the application, and is any valid URI that AD FS is to redirect to after authentication has completed. It is recommended that the client ID be a GUID. You can generate a GUID in Microsoft Visual Studio by opening the Tools menu and clicking Create GUID.

Scenario: A person with a CRM Online system user account accesses organization data through a rich desktop client or mobile app.

  1. Registers the external application in Microsoft Azure and provides a redirect URI during the registration process. The URI can be any valid and appropriate URI. The Microsoft Azure app registration process results in the generation of a client ID string.

  2. Configures the application by entering the client ID and redirect URI in the app’s authentication code or configuration file when instructed on the Microsoft Azure app registration page.

Scenario: An ISV creates and registers an app that later published in the app store. The ISV’s customers download the app from the store and use it to connect to their Microsoft Dynamics CRM Online organization.

  1. Registers the app in the ISV’s tenant using the steps provided in the previous scenario (above).

  1. When accessing a CRM organization in the customer’s tenant, the customer will be presented with a consent form.

  2. The customer reads the information on the form and clicks OK to consent.

  3. (Optional) The customer register’s the app in the customer’s tenant.

For native apps, the customer has to consent each time he or she is prompted to authenticate again. For web apps, the customer is only asked to consent one time. The workaround to bypass the consent form is for the customer to register the app in the customer’s tenant.

  1. Sign in to the Microsoft Azure management portal by using an account with administrator permission. Use an account in the same subscription (tenant) as you intend to register the app with. If you don’t have an account, you must sign up for one by using a credit card. However, the account is free and your credit card will not be charged if you only follow the procedures called out in this topic to register one or more apps. More information: Active Directory Pricing Details

  2. Choose Active Directory in the left column of the page. You may need to scroll the left column to see the Active Directory icon and label.

  3. Choose the desired tenant directory in the directory list.

  1. With the target directory selected, choose Applications, and then choose Add.

  2. In the dialog box, choose Add an application my organization is developing.

  3. When prompted, enter a name for your application, choose a type: Web Application or Native Client Application, and then choose the right arrow to continue.

  4. Continue providing the requested information and complete the app registration process.

  5. With the tab of the newly registered app selected, choose Update Your Code. Insert the provided redirect URI and client ID in the authentication code of your app.

  1. With the tab of the newly registered app selected, choose Configure.

  2. Set the app permissions as shown in the figure below.

  1. If you’re federating users between an IFD server and Microsoft Dynamics CRM Online, and you want to use the app with either server, you must register the application with both Microsoft Dynamics CRM Online and Active Directory Federation Services (AD FS) on the IFD server. Follow the steps provided in this topic. Your IFD server must be running Windows Server 2012 R2.

One method to obtain the redirect URI is to execute the following line of code in a debug session. In a WinJS debug session, select the RawUri property.


string redirectUri = WebAuthenticationBroker.GetCurrentApplicationCallbackUri().ToString();

Visual Basic

Dim redirectUri As String = WebAuthenticationBroker.GetCurrentApplicationCallbackUri().ToString()



You can then use the string value returned from the method call when you register the app. The C# line of code is shown in the topic Sample: Windows 8 desktop modern OData app.

#CRM2015 #MobileApplication #RichDesktopClient

0 views0 comments

Recent Posts

See All
bottom of page