Understanding portal security

Users of the Dynamics 365 Portals are tracked in Dynamics 365 as contacts.

When a portal is provisioned, specific Portal Contact forms are added to the contact record to manage passwords, view portal-specific contact information, and provide registration and profile management forms for the portal.

Contact web authentication form

All interactions and actions that a portal user takes (for example, leaving comment on a page) are tied to their contact record in Dynamics.


Portal users can authenticate using the following methods:

  • Local authentication. Common forms-based authentication with usernames and password hashes stored in the Dynamics 365 contact record.
  • External authentication. Credentials and password management are handled by third-party identity providers. Supported authentication providers:
    • OAuth2 (Microsoft, Twitter, Facebook, Google, LinkedIn, Yahoo )
    • Open ID (Azure Active Directory, Azure AD B2C)
    • WS-Federation and SAML 2.0. These providers are used for integration with on-premises Active Directory and third-party identity services

Portal administrators may choose to enable or disable any combination of authentication options through portal site settings.


Azure AD B2C identity provider is recommended provider for authentication. If third-party provider support is required then it can be configured in Azure AD B2C.


After the user is authenticated and associated with a contact, Dynamics 365 Portals uses a number of entities to define authorization, that is, what a user is allowed to do.

Web Role allow an administrator to control user access to portal content and Dynamics 365 data.

Portals security constructs

Web Role can be associated with the following records:

  • Website Permissions define what (if any) front-side editing permissions a Web Role should have.
  • Web Page Access Rules define what pages are visible to a Web Role and what actions can be taken.
  • Entity Permissions define what access a Web Role has to individual entities.

A portal contact may be assigned one or more Web Roles at a time. Access rules and permissions of individual roles are combined to calculate the resulting permissions set.

One of the web roles in the portal can be marked as Anonymous and another one as Authenticated. These roles allow to apply permissions and access rules to all portal users based on whether they are logged on or if they access the site anonymously.