How to set up OAuth authentication for Resco apps connecting to Microsoft Dynamics [Guide]

Besides the new features, in Resco Spring Update 2021 we also published security improvements to increase your organizations’ data protection.

In Mobile CRM, Inspections, and Routes apps connecting to a Dynamics backend, you will encounter a new default authentication process – OAuth, affecting also external apps and location tracking.

Here is what you need to know about these changes and how to proceed with the OAuth authentication process.

What has changed?

Last year, Microsoft has started to deprecate the older WS-Trust authentication method for connecting to Dataverse (formerly Common Data Services), replacing it with the more secure OAuth process. This also affects Resco mobile apps and Resco CRM sync with Dynamics.

Therefore, users signing in to Resco mobile apps must now proceed with the OAuth2 authentication method by default. Multi-factor authentication is also available.

Accounts used for external projects and location tracking also need to use OAuth authentication instead of WS-Trust. For these accounts, the ROPC flow (Resource Owner Password Credentials) is used, and the accounts have to meet certain requirements.

How to sign in with OAuth2 in Resco apps?

Before using the OAuth2 authentication method to connect Resco apps with Dynamics 365/CRM Online, you have to grant the app access to the Microsoft Azure Active Directory.

Azure Active Directory is used to verify that the application can access the business data stored in the Dynamics 365/CRM Online tenant. To grant global consent for all users to access the data, use the following link.

However, you need to be a Global Administrator of your tenant to issue a global consent. It’s not enough to have only a System Administrator role in Dynamics 365/CRM Online.

Additionally, all app users connected to their Resco mobile apps as Standard User, with multi-factor authentication enabled for their user account, must also switch to OAuth2. This is also required if they receive an error message like the one below when accessing the CRM:

“Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication.”

How to proceed with authentication of external projects and location tracking

The deprecation of WS-Trust by Microsoft impacts the authentication of external projects and location tracking as well. Instead of a legacy login using WS-Trust, all customers must switch to OAuth using ROPC flow (multi-factor authentication is not suitable for this use case).

However, in order to use OAuth, users must grant their consent. There are two types of consent:

  • Individual consent for a particular mobile user
  • Admin consent (organization-wide)

For external projects and location services, individual mobile user consent is sufficient:

Consents can be further limited by scopes. In these cases, consent is only required to access Dynamics. The scope is https://{hostname}/user_impersonation, for example https://resco.crm4.dynamics.com/user_impersonation. As {hostname}, use the hostname of your Dynamics instance.

There are several ways how consent can be granted:

After the successful configuration of OAuth , you should be able to log in into your apps as quickly as before, but now even more securely.

What else is new in Resco Spring Update 2021?

If you want to learn more about the security of Resco mobile solutions, you can find additional documentation at Resco wiki. Also, we invite you to join the free Spring Update 2021 webinar, where our Product team will walk you through the benefits, use cases, and demos of the new features.

Share:
FacebookLinkedInTwitter
Follow our blog

Enter your email address to follow this blog and receive notifications of new posts by email.