Set up an Azure Marketplace subscription for hosted test drives

  • Article

This article explains how to set up an Azure Marketplace subscription and Dynamics 365 apps on Dataverse and Power Apps or Dynamics 365 Operations Apps environment for test drives.

Important

Azure Active Directory (Azure AD) Graph is deprecated as of June 30, 2023. Going forward, we're making no further investments in Azure AD Graph. Azure AD Graph APIs have no SLA or maintenance commitment beyond security-related fixes. Investments in new features and functionalities will only be made in Microsoft Graph.

We'll retire Azure AD Graph in incremental steps so that you have sufficient time to migrate your applications to Microsoft Graph APIs. At a later date that we will announce, we will block the creation of any new applications using Azure AD Graph.

To learn more, see Important: Azure AD Graph Retirement and Powershell Module Deprecation.

Set up for Dynamics 365 apps on Dataverse and Power Apps

  1. Sign in to the Azure portal with an Admin account.

  2. Verify you are in the tenant associated with your Dynamics 365 test drive instance by hovering over your account icon in the upper right corner. If you aren't in the correct tenant, select the account icon to switch into the correct tenant.

    Screenshot showing how to select the correct tenant.

  3. Verify that the Dynamics 365 Customer Engagement Plan license is available.

    Screenshot showing how to check the plan license.

  4. Create a Microsoft Entra app in Azure. AppSource will use this app to provision and deprovision the test drive user in your tenant.

    1. From the filter pane, select Microsoft Entra ID.

    2. Select App registrations.

      Screenshot showing how to select app registrations.

    3. Select New registration.

    4. Provide an appropriate application name.

      Screenshot showing how to register an application.

    5. Under Supported account types, select Account in any organization directory and personal Microsoft accounts.

    6. Select Create and wait for your app to be created.

    7. Once the app is created, note the Application ID displayed on the overview screen. You will need this value later when configuring your test drive.

    8. Under Manage Application, select API permissions.

    9. Select Add a permission and then Microsoft Graph API.

    10. Select the Application permission category and then the User.ReadWrite.All, Directory.Read.All and Directory.ReadWrite.All permissions.

      Screenshot showing how to set the application permissions.

    11. Once the permission is added, select Grant admin consent for Microsoft.

    12. From the message alert, select Yes.

      Screenshot showing the application permissions are successfully granted.

    13. To generate a secret for the Microsoft Entra App:

      1. From Manage Application, select Certificate and secrets.

      2. Under Client secrets, select New client secret.

        Screenshot showing how to add a new client secret.

      3. Enter a description, such as Test Drive, and select an appropriate duration. Because the test drive will break once this Key expires, at which point you will need to generate and provide AppSource a new key, we recommend using the maximum duration of 24 months.

      4. Select Add to generate the Azure app secret. Copy this value as it will be hidden as soon as you leave this blade. You will need this value later when configuring your test drive.

        Screenshot showing how to add a client secret.

  5. Add the Service Principal role to the application to allow the Microsoft Entra app to remove users from your Azure tenant. There are two options for completing this step.

    Option 1

    1. Search for Microsoft Entra roles and administrators and select the service.

      Screenshot showing how to search for Microsoft Entra roles and administrators.

    2. On the All roles page, search for the User Administrator role and double-click User administrator.

      Screenshot showing how to search for and select User administrator.

    3. Select Add Assignments.

      Screenshot showing the add assignments button.

    4. Search for and select the above-created app, then Add.

      Screenshot showing a successful app assignment.

    5. Note the Service Principal role successfully assigned to the application:

      Screenshot showing the Service Principal role successfully assigned to the application.

    Option 2

    1. Open an Administrative-level PowerShell command prompt.

    2. Install-Module MSOnline (run this command if MSOnline isn't installed).

    3. Connect-MsolService (this will display a popup window; sign in with the newly created org tenant).

    4. $applicationId = <YOUR_APPLICATION_ID>.

    5. $sp = Get-MsolServicePrincipal -AppPrincipalId $applicationId.

    6. Add-MsolRoleMember -RoleObjectId fe930be7-5e62-47db-91af-98c3a49a38b1 -RoleMemberObjectId $sp.ObjectId -RoleMemberType servicePrincipal.

      Screenshot showing how to sign in to your account.

  6. Create a new Security Group and add it to Canvas App (Power Apps). This step is only applicable to Dynamics 365 for Customer Engagement & Power Apps offers with the Canvas Apps option.

    1. Create a new Security Group.

      1. Go to Microsoft Entra ID.

      2. Under Manage, select Groups.

      3. Select + New Group.

      4. Select the Security Group type.

      5. For Group Name, enter TestDriveSecurityGroup.

      6. Add a description, such as Security Group for Test Drive.

      7. Leave other fields as default and select Create.

        Screenshot showing how to create a new security group.

    2. Add the security group just created to the Canvas App (Power Apps).

      1. Open the PowerApps portal page and sign in.

      2. Select Apps, then the ellipses at the app.

      3. Select Share.

      4. Search for the TestDriveSecurityGroup security group created in the prior step.

      5. Add Data permissions to the security group.

      6. Clear the send email invitation check box.

      7. Select Share.

        Note

        When using a backend data source other than CE/Dataverse for Canvas App (Power Apps):

        • Allow the above created security group to access your data source. For example, a SharePoint data source.
        • Open SharePoint and share the data table with the Security Group.

  7. Add the just-created Azure app as an application user to your test drive CRM instance. This step is applicable only to Dynamics 365 apps on Dataverse and Power Apps Offers.

    1. Sign in to the Power Platform admin center as a System Administrator.

    2. Select Environments, and then select an environment from the list.

    3. Select Settings.

    4. Select Users + permissions, and then select Application users.

    5. Select + New app user to open the Create a new app user page.
      Screenshot of Test Drive create new app user.

    6. Select + Add an app to choose the registered Microsoft Entra ID application that was created for the selected user, and then select Add.

      Note

      In addition to entering the Application Name or Application ID, you can also enter an Azure Managed Identity Application ID. For Managed Identity, do not enter the Managed Identity Application Name, use the Managed Identity Application ID instead.

    7. The selected Microsoft Entra app is displayed under App. You can select Edit ( ) to choose another Microsoft Entra application. Under Business Unit, select a business unit from the dropdown list.

      Screenshot of Test Drive create new app user business unit.

    8. After choosing a business unit, you can select for Security roles to choose security roles for the chosen business unit to add to the new application user. After adding security roles, select Save.

      Screenshot of Test Drive create new app user security roles.

    9. Select Create.

    10. Select Manage roles.

    11. Assign a custom or OOB security role that contains read, write, and assign role privileges, such as System Administrator.

      Screenshot showing how to select the role privileges.

    12. Enable the Act on Behalf of Another User privilege.

    13. Assign the application user the custom security role you created for your test drive.

Set up for Dynamics 365 Operations Apps

  1. Sign into the Azure portal with an Admin account.

  2. Verify you are in the tenant associated with your Dynamics 365 test drive instance by hovering over your account icon in the upper right corner. If you aren't in the correct tenant, select the account icon to switch into the correct tenant.

    Screenshot showing how to select the correct tenant.

  3. Create a Microsoft Entra App in Azure. AppSource will use this app to provision and deprovision the test drive user in your tenant.

    1. From the filter pane, select Microsoft Entra ID.

    2. Select App registrations.

      Screenshot showing how to select an app registration.

    3. Select New registration.

    4. Provide an appropriate application name.

      Screenshot showing how to register an application.

    5. Under Supported account types, select Account in any organization directory and personal Microsoft accounts.

    6. Select Create and wait for your app to be created.

    7. Once the app is created, note the Application ID displayed on the overview screen. You will need this value later when configuring your test drive.

    8. Under Manage Application, select API permissions.

    9. Select Add a permission and then Microsoft Graph API.

    10. Select the Application permission category and then the Directory.Read.All and Directory.ReadWrite.All permissions.

      Screenshot illustrating how to set application permissions.

    11. Select Add permission.

    12. Once the permission is added, select Grant admin consent for Microsoft.

    13. From the message alert, select Yes.

      Screenshot showing the application permissions successfully granted.

    14. To generate a secret for the Microsoft Entra App:

      1. From Manage Application, select Certificate and secrets.

      2. Under Client secrets, select New client secret.

      3. Enter a description, such as Test Drive, and select an appropriate duration. The test drive will break once this Key expires, at which point you will need to generate and provide AppSource a new key.

      4. Select Add to generate the Azure app secret. Copy this value as it will be hidden as soon as you leave this blade. You will need this value later when configuring your test drive.

        Screenshot showing the addition of a client secret.

  4. Add the Service Principal role to the application to allow the Microsoft Entra app to remove users from your Azure tenant.

    1. Open an Administrative-level PowerShell command prompt.

    2. Install-Module MSOnline (run this command if MSOnline isn't installed).

    3. Connect-MsolService (this will display a popup window; sign in with the newly created org tenant).

    4. $applicationId = <YOUR_APPLICATION_ID>.

    5. $sp = Get-MsolServicePrincipal -AppPrincipalId $applicationId.

    6. Add-MsolRoleMember -RoleObjectId fe930be7-5e62-47db-91af-98c3a49a38b1 -RoleMemberObjectId $sp.ObjectId -RoleMemberType servicePrincipal.

      Screenshot showing how to sign in to an account.

  5. Now add the above app to Dynamics 365 Operations Apps to enable the app to manage users.

    1. Find your Dynamics 365 Operations Apps instance.
    2. From the top-left corner, select the three-line icon (☰).
    3. Select System Administration.
    4. Select Microsoft Entra applications.
    5. Select + New.
    6. Enter the Client ID of the Microsoft Entra app that is going to perform the on-behalf-of actions.

    Note

    The user ID on whose behalf the actions will be performed (typically the System Admin of the instance or a user who has privileges to add other users).

    Screenshot showing the user ID on whose behalf the actions will be performed, typically the System Admin of the instance or a user who has privileges to add other users.

Next steps