Recently, we published security improvements to increase your organizations’ data protection.
In Mobile CRM, Inspections, and Routes apps connecting to a Dynamics backend, you will encounter a new default authentication process – OAuth, affecting also external apps and location tracking.
Here is what you need to know about these changes and how to proceed with the OAuth authentication process.
What has changed?
Last year, Microsoft has started to deprecate the older WS-Trust authentication method for connecting to Dataverse (formerly Common Data Services), replacing it with the more secure OAuth process. This also affects Resco mobile apps and Resco CRM sync with Dynamics.
Therefore, users signing in to Resco mobile apps must now proceed with the OAuth2 authentication method by default. Multi-factor authentication is also available.
Accounts used for external projects and location tracking also need to use OAuth authentication instead of WS-Trust. For these accounts, the ROPC flow (Resource Owner Password Credentials) is used, and the accounts have to meet certain requirements.
How to sign in with OAuth2 in Resco apps?
Before using the OAuth2 authentication method to connect Resco apps with Dynamics 365/CRM Online, you have to grant the app access to the Microsoft Azure Active Directory.
Azure Active Directory is used to verify that the application can access the business data stored in the Dynamics 365/CRM Online tenant. To grant global consent for all users to access the data, use the following link.
However, you need to be a Global Administrator of your tenant to issue a global consent. It’s not enough to have only a System Administrator role in Dynamics 365/CRM Online.
Additionally, all app users connected to their Resco mobile apps as Standard User, with multi-factor authentication enabled for their user account, must also switch to OAuth2. This is also required if they receive an error message like the one below when accessing the CRM:
“Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication.”
How to proceed with authentication of external projects and location tracking
The deprecation of WS-Trust by Microsoft impacts the authentication of external projects and location tracking as well. Instead of a legacy login using WS-Trust, all customers must switch to OAuth using ROPC flow (multi-factor authentication is not suitable for this use case).
However, in order to use OAuth, users must grant their consent. There are two types of consent:
- Individual consent for a particular mobile user
- Admin consent (organization-wide)
For external projects and location services, individual mobile user consent is sufficient:
- For external projects, consent is required for the account used for authentication and licensing.
- For location tracking, consent is required for the account used when you register your organization for location tracking.
Consents can be further limited by scopes. In these cases, consent is only required to access Dynamics. The scope is https://{hostname}/user_impersonation, for example https://resco.crm4.dynamics.com/user_impersonation. As {hostname}, use the hostname of your Dynamics instance.
There are several ways how consent can be granted:
- You can synchronize your Resco Mobile CRM app with this account. However, this will grant consent with more scopes than required for external users or location tracking scenarios.
- A simpler way is to open the following link in a web browser, log in, and grant consent. Go to:this address.Make sure to replace {hostname} with your Dynamics hostname. Some organizations don’t allow individual user consent; in that case, you must log in as a global admin and grant consent on behalf of your organization.
- There’s also a direct link for admin consent. In this case, you have to log in as a global admin. As your tenant ID, use either the domain name or GUID; and also use the correct Dynamics hostname.
After the successful configuration of OAuth , you should be able to log in into your apps as quickly as before, but now even more securely.
What else is new?
If you want to learn more about the security of Resco mobile solutions, you can find additional documentation at Resco wiki.