← Back to Blog

Dynamics CRM using Azure Active Directory instead of ADFS

Using Azure AD instead of ADFS for your Dynamics CRM

This tutorial will go through the steps needed to set up an Internet-Facing Deployment of Dynamics CRM using Azure AD. The CRM implementation used in this tutorial is installed on an Azure virtual machine.

If you have moved your on-premise CRM environment to an Azure virtual machine and tried to set up AD FS without a domain controller... you will probably very quickly realized you can’t configure AD FS since your user is not a member of the Domain Admins group. Well, instead of using AD FS  you can use Azure AD instead.

What you will need

You will need access to the CRM application server.

You will need credentials to a user who is a deployment administrator in CRM.

Access to https://manage.windowsazure.co...


You have already set up DNS correctly.

SSL certificates are installed correctly.

CRM is installed correctly.

Go to https://manage.windowsazure.co... and open the active directory section. Then click the arrow to the right of your active directory name.



Next click applications at the top and then add on the bottom.



Select ‘Add an application my organization is developing’.

For the name, put in ‘https://{YOURACTIVEDIRECTORYNAME}.accesscontrol.windows.net/’

Type is ‘Web application and/or web api’

Hit the next arrow.

For the sign-on url put ‘https:// {YOURACTIVEDIRECTORYNAME}.accesscontrol.windows.net/’

For the appid url put ‘https:// {YOURACTIVEDIRECTORYNAME}.accesscontrol.windows.net/’

Hit the accept arrow at the bottom right.


Once completed you should see something like what is shown below. No more configuration to this is needed.

But before you leave this page. Click the view endpoints on the bottom of the page. Copy the Federation Metadata document URL from the window and save it for later.


Now go back to active directory section. Click access control namespaces at the top and then click manage at the bottom. This will open up the access control service (ACS). This is where you specify the claims rules like you normally would do in ADFS.



You should now see the page below. Next step is to click on identity providers



Then click Add


Select ws-federation identity provider. Then select next

Fill out the Display name. It can be whatever you want.

Put in the ws-federation metadata url. This is the url mentioned above that you saved for later.

And finally specify the login text. It can be whatever you want.




Now click on application integration and copy the WS-Federation Metadata url.



Go onto the CRM server and configure claims based authentication in the deployment manager. For the federation metadata URL you specify the URL you just copied from the step above. At the end of the wizard make sure to copy the CRM federation Metadata URL as normal.  You will need it in the next part. After you are done configuring claims authentication, you can go ahead and configure Internet-Facing Deployment.





Now go back to the Access Control Service (ACS) and click on the ‘Relying party applications’ and click add.



This next part should seem pretty familiar if you are used to setting up AD FS. Basically the same steps as in AD FS where you go to relying party trusts. Set up claims. Set up IFD. Then set up your rules.


On the next screen specify your name.

Choose the ‘import ws-Federation metadata mode’. Put in the federation metadata CRM gives you after setting up claims in the deployment manager.

Uncheck Windows Live ID and make sure the identity provider you created earlier is checked.

Make sure ‘create new rule group’ is unchecked and then hit save.



Once complete, create another relying party application but for the Internet Facing Deployment (IFD). For the WF-federation metadata make sure the URL is for the external domain where you internet-facing servers are located. (I don’t think you have to set up a claims relying party to get IFD to work. I just do it because I’m a creature of habit)

So for me instead of


I use



Now the last part. Creating the rule groups needed for Microsoft CRM and Azure AD.

To create the rules groups needed for CRM, click rule groups and then add. Specify a name and then save.



Now you have created a rule group. Next we need to add the rules. To do so click ‘Generate’



Pick the Identity provider you created earlier. Uncheck windows live if checked. The hit generate.


Once complete you should see the screen below with the generated rules.



Now look for the rule with the Output Claim of ‘name’. It will probably be on page two. Click it to open it.




Change the output claim type to UPN as shown below. Then hit save.



Once complete browse to both of the relying party applications and update them so that they use the newly created rule group.


That should be it. You should now be able to browse CRM using IFD with Azure AD.