There are several exciting benefits to CRM Online being part of the Office 365 ecosystem, but one of the biggest is the ability to link your company's Active Directory system to CRM. This allows you to manage all your users in one place, sign in to CRM Online with your existing credentials (known as single sign-on, or SSO), and even control access to multiple CRM organizations by using Active Directory. In this article, we'll explain the benefits of setting up Active Directory federation with CRM Online, explain how to setup SSO and Active Directory synchronization, and answer some of the most common related questions.
If you have a large organization that uses Active Directory to manage your users and groups, setting up Active Directory synchronization will allow you to manage all of your CRM Online users in a central location, avoiding the need to manage multiple user accounts and passwords. In the Office 365 portal, each user record automatically includes user details such as phone number, which is populated from the corresponding user entry in Active Directory. After you assign a CRM license to a user in the Office 365 portal, the user (and all associated details) will appear within the CRM application. If the user's name or other information is updated in Active Directory, any changes will automatically propagate to CRM.
Before setting up Active Directory synchronization, you'll should check out the Single Sign-On Roadmap and decide if you are interested in setting up SSO. With SSO, users will not need to enter a user name and password to access CRM. Instead,users browsing to the CRM Online website will automatically be authenticated by using their existing Active Directory credentials. If setting up SSO is not feasible in your environment, consider the less complex alternative of using Password Sync, which will seamlessly synchronize your Office 365 account passwords with those in your Active Directory.
After you've determined whether or not to use SSO, you're ready to set up the Active Directory synchronization. To make this process easier, we have provided a tool called DirSync, which empowers you to control and manage user accounts in the traditional way by using Active Directory Users and Computers. Many of the attributes from your local AD Global Address List (GAL) can be synchronized automatically to the cloud.
So, what are the requirements for a DirSync computer? To get started you will need an Office 365 subscription, an Active Directory forest, a directory synchronization computer that meets these prerequisites. For complete details about DirSync prerequisites, installation, and use, see the DirSync Roadmap or follow the "Set up" links that appear on the Office 365 Admin Center, as shown in the following graphic:
You can also use the DirSync tool to control multiple CRM organizations by using Active Directory security groups. If your subscription includes multiple CRM instances, the CRM Online Instance Picker also provides the ability to control which users have access to each CRM instance by specifying an Active Directory security group.
For example, if you have a test instance of CRM that your expert customizers use to try out new additions to CRM, you may not want all of your employees with a CRM license to be able to access it. If the customizers are already part of an Active Directory security group, just specify that group as the Instance Security Group, and only the customizers will be able to see the test instance.
Here is an example of setting up an Instance Security Group for a CRM instance:
Step 1: Create the group in Active Directory:
Step 2: After the group is synchronized to Office 365, log in to the Office 365 Admin Center as an administrator and then from the Admin menu, select CRM, as highlighted in the following graphic:
Step 3: Finally, edit the development organization instance in the CRM Online Instance Picker to use your Active Directory security group, as highlighted in the following graphic:
Here are some common questions that come up about using CRM with Active Directory synchronization:
Q: I signed up for CRM Online before June 2012 and my CRM Online subscription hasn't been converted to use Office 365 yet. Can I still synchronize my Active Directory?
A: No, you will need to convert your CRM Online subscription to Office 365 to take advantage of SSO and DirSync. Please contact Microsoft Support for assistance.
Q: I tried to follow the screenshots above, but my Office 365 portal looks different. What’s going on?
A: The screenshots in this article show the new Office 15 user interface, and your company may not be upgraded to the latest interface yet. However, all the functionality mentioned above is still available.
Q: What information is synchronized from Active Directory to CRM?
A: We synchronize information about users, contacts, and groups. For the full list of all the attributes that are synchronized, see the KB article List of attributes that are synced to Windows Azure Active Directory and attributes that are written back to the on-premises Active Directory Domain Services.
Q: My company does not want to synchronize all of our users or all of their attributes. Can I use DirSync to synchronize only selected users or attributes?
A: While filtering objects is currently supported, filtering attributes is not.
Q: My Active Directory has thousands of users. Do I need to pay for CRM licenses for all of them to link AD to CRM?
A: No. While all users in AD will appear in the Office 365 portal, only the users with license assigned will appear in CRM. Your bill is based on the number of user licenses you pay for.
Q: I just updated user information in Active Directory, but it's still not reflected in CRM. What's going on?
A: By default, DirSync synchronizes information from Active Directory every three hours. If you need to synchronize more immediately, you can force a synchronization at any time by using PowerShell.
Q: My company has multiple Office 365 tenants. Can we use SSO with one Active Directory with all of them?
A: No. This process currently supports only one tenant/account.
Q: My Active Directory system uses Network Load Balancing. Is this okay?
A: Network Load Balancing will notcause any problems for the DirSync process.
Q: I set up an instance security group for my CRM organization, and then in Active Directory I added a nested group as a member of the security group. Why don’t users of the nested group get added to my CRM organization?
A: Nested groups that are members of an instance security group are not supported at this time. As a result, be sure that all users you intend to be part of a CRM organization are members of the instance security group, if one exists.
That's all for now! Enjoy making your CRM Online experience easier with SSO and DirSync.
Uma Maheswari Anbazhagan and David Carlton
Microsoft Dynamics CRM
Excellent blog !