← Back to Blog

Azure AD Conditional Access and Dynamics Service Connection Errors

Azure AD Conditional Access provides additional layers of security that can help enforce policies and implement exceptions, such as multi factor authentication.

We received a few generic errors trying to connect to the Dynamics 365 CRM Service, shown down below, but none pointed to the specific reason our service connection was failing.  First, I updated all of the nuget service references in the project so they're all using the latest stable version (that itself didn't fix the issue, but did change the error message slightly).  In addition, I confirmed that we were using the ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; and even put a call in the App Startup just to be sure...but that also didn't help.  After that, I used fiddler to capture the request and found the issue was being sent back to the Tooling library, but not being presented in the Crm Client Last Error property, which was "AADSTS53003: Blocked by conditional access."

After knowing the issue was in conditional access, I was able to login to Azure AD (https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) and configure these two policies so that our service account user was excluded

  • High - Require 2nd Factor except from trusted location
  • Block Legacy Authentication

Here are the generic errors the Crm Client was reporting in the Last Error property

Invalid Login Information : An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.
An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. => Authentication FailureUnable to Login to Dynamics CRM
Unable to Login to Dynamics CRM
"You don't have permission to access any of the organizations in the Microsoft Dynamics CRM Online region that you specified"

You can also test this in the v9 version of the Plugin Registration tool, before these policies are configured to exclude, your user will get a pop up window to confirm authentication client-side.  After these policies are configured, your user wouldn't see that pop up.