Walkthrough: Configure Windows Azure ACS (Version 1) for Microsoft Dynamics CRM 2011 Integration


Applies To: Dynamics CRM 2011

This walkthrough guides you through an advanced configuration scenario for Windows Azure Access Control Service, version 1. In this walkthrough, you will create an issuer, scope, and rules to allow a listener application to read the Microsoft Dynamics CRM message posted to the service bus. This walkthrough applies to integration with any type of Microsoft Dynamics CRM installation.


The Plug-in Registration tool included in the SDK download provides the ability to automate the configuration of ACS (version 1 or 2) for basic scenarios. You can access this functionality when you run the tool by following the instructions in the topic Walkthrough: Register an Azure-Aware Plug-in with Plug-in Registration Tool.

For more advanced version 1 scenarios, you will need to build and run the acm tool described in this walkthrough. There are no instructions provided at this time for configuring advanced ACS version 2 scenarios.

As a prerequisite, perform the following tasks before continuing with this walkthrough.

  1. Install the Windows Azure AppFabric SDK V1.0 and code samples.

  2. Compile the acm tool in the AccessControl\ExploringFeatures\Management\AcmTool folder of the sample code.

  3. Configure Microsoft Dynamics CRM for Windows Azure integration. For more information, see Walkthrough: Configure CRM for Integration with Windows Azure.

  4. Create a project in Windows Azure and record the service endpoint Uri, service namespace, and management key values for use in this walkthrough.

Configure the Acm.exe Tool

To configure the acm.exe tool, follow these steps.

  1. Copy the public certificate to the same folder as the acm.exe tool.

  2. In that same folder, create a configuration file named “acm.exe.config” that contains the following information in XML format.

    <?xml version="1.0" encoding="utf-8" ?>
        <add key="host" value="accesscontrol.windows.net"/>      
       <add key="service" value="<servicenamespace>-sb"/>
        <add key="mgmtkey" value="<mymgmtkey>"/> 
  3. Replace <servicenamespace> with your Windows Azure solution namespace.

  4. Replace <mymgmtkey> with the management key value, which is case-sensitive.

The “-sb” suffix in the service refers to the service bus instance of ACS. If you are using federated mode, remove the “-sb” from the service namespace value.

Configure the issuer

Open a Command or Windows PowerShell console window and change the working directory to the acm.exe tool folder. Run the acm.exe tool using the following command.

.\acm.exe create issuer -name:<name> -issuername:<issuername> -certfile:<filename> -algorithm:X509

Substitute the appropriate values for <name>, <issuername>, and <filename> as described below.


A name for the issuer.


The exact issuer name that was used when configuring Microsoft Dynamics CRM for Windows Azure integration. You can find this name on the Developer Resources page of the Microsoft Dynamics CRM Web application below the Windows Azure AppFabric Issuer Certificate label. To navigate to that page in the Web application, select Settings, select Customizations, and click Developer Resources.


The file name (or full pathname) of the public certificate. You can download the certificate from the Developer Resources page described previously.

You can type the command “.\acm.exe getall issuer” to view the created issuer information.

Configure the scope

The following information describes how to configure the scope of ACS for a normal mode post by Microsoft Dynamics CRM.

To view information on the existing token policy and scope, enter the following commands:

.\acm.exe getall tokenpolicy
.\acm.exe getall scope

You can use an existing base scope or create a new scope with the Uri of the service endpoint that your listener will use. For example, to create a new scope, enter the following command and substitute the appropriate values where indicated by <>.

.\acm.exe create scope -name:<myscope> -tokenpolicyid:<tokenpolicyid> -appliesto:http://<uri-of-service-endpoint>
.\acm.exe getall scope

In the previous command, <myscope> is a name for your new scope, <tokenpolicyid> is the ID shown in the token policy information output from the first command, and <uri-of-service-endpoint> is the Uri of your Windows Azure project’s service endpoint.

Create rules for the scope

The final step in configuring ACS is to create a rule for a scope. First, list the available scopes because you will need the target scope’s ID. Next, list all rules of that scope.

.\acm.exe getall scope
.\acm.exe getall rule -scopeid:<scopeid>

Substitute the appropriate scope ID value in the <scopeid> parameter of the second command.

Create a rule for the target scope that will allow Microsoft Dynamics CRM to send or “post” to the Windows Azure Service Bus. You do this by configuring ACS to map the input “Organization” claim from Microsoft Dynamics CRM, identified by inclaimissuerid, to the output “Send” claim for the service bus, by executing the following command:

.\acm.exe create rule -name:<myRule> -scopeid:<scopeid> -inclaimissuerid:<issuerid> 
-inclaimtype:http://schemas.microsoft.com/xrm/2011/Claims/Organization -inclaimvalue:<orgName> 
-outclaimtype:net.windows.servicebus.action -outclaimvalue:Send

Substitute the appropriate values for <myRule>, <scopeid>, and <orgName> as described below.


A name for the rule.


For an IFD or on-premises deployment, the unique name of the desired organization specified in lowercase characters. You can find this name on the Developer Resources page of the Microsoft Dynamics CRM Web application next to the Organization Unique Name label. To navigate to that page in the Web application select Settings, select Customizations, and click Developer Resources.

For a Microsoft Dynamics CRM Online deployment, specify the complete hostname part of the Web service URL. For example, given a URL of https://myorg.crm.dynamics.com/main.aspx, the hostname part is myorg.crm.dynamics.com.


The ID of the scope.


The ID of the issuer you created earlier in this walkthrough.


If using federated mode, the process is similar to what is described above. You would add an issuer, create a scope specific to the Uri (recommended), or a new base scope. You will need to configure both –sb and non–sb scopes. You may also need to create a token policy for the creating the issuer.

See Also

Walkthrough: Configure CRM for Integration with Windows Azure
Configure Windows Azure Integration with Microsoft Dynamics CRM
Acm.exe Tool

Microsoft Dynamics CRM 2011

© Microsoft Corporation. All rights reserved. Copyright