24. 01. 2025
Knowledge Management, Service Management
05. 02. 2025
Alessandro Romboli
Knowledge Management, Service Management
Dynamics 365 Finance & Operations (On -Premises) Connectivity: new authentication model
Scenario
Dynamics 365 Finance & Operations (On-Premises) is an ERP (Enterprise Resource Planning) solution which can be deployed on physical or virtual servers. It’s the right solution for Companies which don’t want to store their personal data into the Azure cloud.
The ERP architecture requires the configuration of a standalone Service Fabric which is connected to Microsoft’s LCS (Microsoft Dynamics Lifecycle Services) through a Local Agent Application deployed into the Fabric.
Deprecated authentication for Local Agent connectivity
The old deprecated authentication model required a single certificate to be registered into an Azure Service Principal.
There could be just one single certificate for the whole Azure Tenant and this certificate must be shared between all the Dynamics 365 Finance & Operations On-Premises environments.
New authentication for Local Agent connectivity: Bring-your-own Microsoft Entra service principal
Microsoft is forcing all the customers to migrate to the new authentication model: each environment can now have its own certificate for the Local Agent and this certificate is associated to an Azure Enterprise Application with its Service Principal.
This way each Dynamics 365 Finance & Operations On-Premises environment is now independent and each certificate used for LCS authentication is less critical.
How to migrate to the new authentication connectivity
First of all, a new Azure Enterprise Application must be generated for each Dynamics 365 On Premise environment:
Then, from the local Infrastructure scripts, the new agent configuration must be retrieved:
.\Get-AgentConfiguration.ps1 -ConfigurationFilePath .\ConfigTemplate.xmlNext step requires the connection to LCS:
from the on-premises implementation project, select the Menu button (sometimes referred to as the hamburger or the hamburger button), and then select Project settings; select On-premises connectors then edit the connector configuration to fill in the new generated Application and Service Principal IDs.
After saving the new configuration, the related new json file can be downloaded from LCS.
From the server on which the Local Agent was first deployed into the Service Fabric, the Local Agent must be first uninstalled from the old installation path:
LocalAgentCLI.exe Cleanup <path of localagent-config.json>Finally, with the latest Local Agent installation package and the new configuration json file (which includes the references to the new Azure Enterprise Application), the Local Agent can be reinstalled again:
LocalAgentCLI.exe Install <path of new-localagent-config.json>Note that the whole procedure won’t generate downtime to the Dynamics 365 Finance & Operations On-Premises environment, so it can be performed during Business hours.
Conclusion
The new Local Agent connectivity is another step toward security: this helps reduce the impact of a security incident caused by a compromised certificate. For this reason, it is important for each environment to have its own Microsoft Entra application, service principal, and certificate.
Alessandro Romboli
Site Reliability Engineer at Würth Phoenix
My name is Alessandro and I joined Würth-Phoenix early in 2013. I have over 20 years of experience in the IT sector: For a long time I've worked for a big Italian bank in a very complex environment, managing the software provisioning for all the branch offices. Then I've worked as a system administrator for an international IT provider supporting several big companies in their infrastructures, providing high availability solutions and disaster recovery implementations. I've joined the VMware virtual infrastructure in early stage, since version 2: it was one of the first productive Server Farms in Italy. I always like to study and compare different technologies: I work with Linux, MAC OSX, Windows and VMWare. Since I joined Würth Phoenix, I could also expand my experience on Firewalls, Storage Area Networks, Local Area Networks, designing and implementing complete solutions for our customers. Primarily, I'm a system administrator and solution designer, certified as VMware VCP6 DCV, Microsoft MCP for Windows Server, Hyper-V and System Center Virtual Machine Manager, SQL Server, SharePoint. Besides computers, I also like photography, sport and trekking in the mountains.
Author
Latest posts by Alessandro Romboli
25. 07. 2024
Asset Management, NetEye
GLPI Device Discovery
11. 04. 2024
Business Service Monitoring, NetEye, SLM
SLA Reporting on a Business Process
06. 12. 2023
Business Service Monitoring, NetEye
Monitoring a Business Process
07. 08. 2023
Business Service Monitoring, ITOA, NetEye
From Icinga 2 Monitoring to ITOA