Active Directory and claims-based authentication

Applies to Dynamics 365 for Customer Engagement apps version 9.x

Claims-based authentication provides an industry standard security protocol to authenticate a user on a host computer. Claims-based authentication is a set of WS-* standards describing the use of a Security Assertion Markup Language (SAML) token in either passive mode (when WS-Federation is used with the Dynamics 365 (online) Customer Engagement web application) or active mode (where WS-Trust in used with Windows Communication Foundation (WCF) clients). This authentication works together with WCF to provide secure user authentication and a communication channel with a Dynamics 365 server. All Dynamics 365 editions support claims-based authentication.

Claims-based authentication requires the availability of a security token service (STS) running on a server. An STS server can be based on Active Directory Federation Services (AD FS) V2, or any platform that provides the official STS protocol. More information: TechNet: Configure IFD for Dynamics 365 (on-premises).

Supported authentication scenarios

Dynamics 365 supports the following authentication scenarios for each deployment type.

Deployment Authentication model
Dynamics 365 (online) Claims-based or Active Directory (through federation) authentication
Dynamics 365 (online) on-premises Claims-based or Active Directory authentication
Dynamics 365 (online) Internet-facing deployment (IFD) Claims-based or Active Directory authentication

How claims-based authentication works

A request to authenticate a user is sent from Dynamics 365 (online) or a custom application to the STS server. The STS server determines whether the user should be authenticated, and if so, issues a signed and encrypted SAML token that contains user authentication information. The token has a finite life span and may have to be periodically refreshed depending on how long your application is using the token. This is discussed in more detail later in this topic.

How Active Directory authentication works

A request to authenticate a user is sent from Dynamics 365 or a custom application to Active Directory. The WCF stack manages the authentication process for Organization Service calls from an application, whereas Internet Information Services (IIS) manages authentication for a web application.

Unsupported authentication scenarios

Use of client certificates is not supported. If you configure the Dynamics 365 website to require IIS client certificates, you will get authentication failures for any applications that were built using the SDK.

For more information about additional unsupported programming methods see Unsupported Customizations.

Authentication classes

The following table lists the primary authentication classes available in the SDK, describes when to use them, and provides links to additional relevant documentation.

Classes Usage Related Documentation
IServiceConfiguration<TService>, IServiceManagement<TService> All deployment types: on-premises/IFD, online (Microsoft account and Office 365/MOS*)

Best choice for multi-threaded applications
Authenticate Office 365 Users with Dynamics 365 (online) Web Services

Sample: Authenticate Users with Dynamics 365 Web Services

Improve service channel allocation performance
DiscoveryServiceProxy, OrganizationServiceProxy All deployment types: on-premises/IFD, online (Microsoft account and Office 365/MOS*) Authentication by Using the Client Proxy Classes

Sample: Access the Discovery Service

Improve service channel allocation performance
CrmConnection Class All deployment types: on-premises/IFD, online (Microsoft account and Office 365/MOS*) Simplified Connection to Microsoft Dynamics CRM

Sample: Simplified Connection Quick Start using Dynamics 365 Customer Engagement
ServerConnection All deployment types: on-premises/IFD, online (Microsoft account and Office 365/MOS*)

Use for console test applications and sample code.

Designed to improve usability when running SDK sample code and to demonstrate use of the authentication classes. Contains console output code.
Helper Code: ServerConnection Class

Sample: Quick Start for Dynamics 365 Customer Engagement

* Microsoft Online Services environment

Authentication by using the client proxy classes

One way to authenticate with the Dynamics 365 web services is by using the OrganizationServiceProxy and DiscoveryServiceProxy classes in the applications that you write. The four-parameter constructor of these classes supports Dynamics 365 (online) deployments. These proxy classes automatically handle claims or Active Directory authentication and also manage resource limits on the WCF channel endpoint.

The following code shows how to instantiate the organization service proxy:

using (OrganizationServiceProxy _serviceProxy = new OrganizationServiceProxy(organizationUri, homeRealmUri, userCredentials, deviceCredentials))  

The following code shows how to instantiate the discovery service proxy:

using (DiscoveryServiceProxy _discProxy = new DiscoveryServiceProxy(organizationUri, homeRealmUri, userCredentials, deviceCredentials))  

It is important to properly dispose of the service proxy instance in your application before the application terminates. The using statement makes sure that the service proxy is correctly disposed by automatically calling Dispose on the service proxy when it goes out of scope. However, for improved application performance, it is a best practice to keep the service proxy instance available in your application for the entire application session instead of disposing it and allocating it again somewhere else in the application code when needed. The reason being that creating and authenticating a service channel is an expensive operation (in time). In this case, when you are done with the service proxy instance, you must directly call the Dispose method on the proxy before the application terminates.

The device credentials of the registered computing device are only used when authenticating with Dynamics 365 (online) through the Microsoft account identity provider. For sample code that shows how to populate the proxy constructor parameters, see Sample: Access the Discovery Service.


For an on-premises or an Internet-facing deployment (IFD) installation of Dynamics 365 (online), the client proxy classes use claims-based authentication if an STS server is available. Otherwise, Active Directory authentication is used.

If you want to use Dynamics 365 early-bound entity types in your code, you must add the following line of code after the organization service proxy is instantiated, but before you make web service method calls:



WCF supports a feature where it can interactively prompt the user for logon credentials when it is necessary. This feature is enabled by setting the SupportInteractive property of the ClientCredentials class. These credentials are used in the userCredentials parameter shown in the previous code snippet.

When making SDK calls to the Dynamics 365 web services, the ownership of the operation and entity data changes performed by the SDK call can be changed by this WCF feature independent of your code.

Dynamics 365 handles supplied credentials in web service calls as follows:

  • If credentials are not supplied in the web service call, the WCF stack determines which credentials to use. In that case, the SupportInteractive property value is automatically set to false.
    • If credentials are explicitly supplied by your code, the current SupportInteractive value is passed to the WCF channel factory. SupportInteractive is set to true by default unless you explicitly change it.
    • If SupportInteractive is set to true and the provided credentials fail, a WCF dialog box may be displayed. Any credentials entered by the user into the dialog box will be used instead of those supplied in the web service calls that your application invokes.

Handling channel exceptions and faults

Your code should catch the following exceptions and faults. See the C# samples in the developer documentation for a list of additional exceptions to catch:

Additional information about the security (SAML) token

The SAML token used during user authentication is described below.

Contents of the SAML token

The XML-based SAML 2.0 token contains an identity that defines one or more claims about a user. This token is passed between an identity provider (STS) server and Dynamics 365 for claims-based authentication. The claims in the identity have been defined as follows.

Claim Use
Universal Principal Name (UPN) Contains the user’s ID in domain\alias format on the target Dynamics 365 server.
Name If the authenticated user is also a Deployment Administrator in Dynamics 365, this claim contains the deployment administrator’s ID in domain\alias format on the target Dynamics 365 server. Windows Identity Foundation maps the Name claim to the property.
Any other claims Not used by Dynamics 365.

Supported security token types

Dynamics 365 (online) support two types of SAML tokens:

  • Web application - The Dynamics 365 web application receives a bearer token from STS. This token is missing some required information so a Transport Layer Security (TLS) or Secure Sockets Layer (SSL)-based URL (https://) is used for security protection when you access the WCF endpoint.

  • SDK - A custom application receives an active token with a proof key that contains the required information.

Lifecycle of the security token

A SecurityToken has a life span identified by its ValidFrom and ValidTo properties. Your application design should consider the possibility that the token could expire, resulting in an ExpiredSecurityTokenException being thrown by the Dynamics 365 web services when the next message request from your application is processed.

See also

Walkthrough: Register a Dynamics 365 app with Active Directory
Connect with Microsoft Office 365 and Dynamics 365 (online)
Implement Single Sign-on from an ASPX Webpage or IFRAME
Sample: Authenticate Users with Dynamics 365 Web Services