There are several exciting benefits to CRM Online being part of the Office 365 ecosystem, but one of the biggest is the ability to link your company’s Active Directory system to CRM. This allows you to manage all your users in one place, sign in to CRM Online with your existing credentials (known as single sign-on, or SSO), and even control access to multiple CRM organizations by using Active Directory. In this article, we’ll explain the benefits of setting up Active Directory federation with CRM Online, explain how to setup SSO and Active Directory synchronization, and answer some of the most common related questions.
If you have a large organization that uses Active Directory to manage your users and groups, setting up Active Directory synchronization will allow you to manage all of your CRM Online users in a central location, avoiding the need to manage multiple user accounts and passwords. In the Office 365 portal, each user record automatically includes user details such as phone number, which is populated from the corresponding user entry in Active Directory. After you assign a CRM license to a user in the Office 365 portal, the user (and all associated details) will appear within the CRM application. If the user’s name or other information is updated in Active Directory, any changes will automatically propagate to CRM.
Before setting up Active Directory synchronization, you’ll should check out the Single Sign-On Roadmap and decide if you are interested in setting up SSO. With SSO, users will not need to enter a user name and password to access CRM. Instead, users browsing to the CRM Online website will automatically be authenticated by using their existing Active Directory credentials. If setting up SSO is not feasible in your environment, consider the less complex alternative of using Password Sync, which will seamlessly synchronize your Office 365 account passwords with those in your Active Directory.
After you’ve determined whether or not to use SSO, you’re ready to set up the Active Directory synchronization. To make this process easier, we have provided a tool called DirSync, which empowers you to control and manage user accounts in the traditional way by using Active Directory Users and Computers. Many of the attributes from your local AD Global Address List (GAL) can be synchronized automatically to the cloud.
So, what are the requirements for a DirSync computer? To get started you will need an Office 365 subscription, an Active Directory forest, a directory synchronization computer that meets these prerequisites. For complete details about DirSync prerequisites, installation, and use, see the DirSync Roadmap or follow the “Set up” links that appear on the Office 365 Admin Center.
You can also use the DirSync tool to control multiple CRM organizations by using Active Directory security groups. If your subscription includes multiple CRM instances, the CRM Online Instance Picker also provides the ability to control which users have access to each CRM instance by specifying an Active Directory security group.
For example, if you have a test instance of CRM that your expert customizers use to try out new additions to CRM, you may not want all of your employees with a CRM license to be able to access it. If the customizers are already part of an Active Directory security group, just specify that group as the Instance Security Group, and only the customizers will be able to see the test instance.
Here is an example of setting up an Instance Security Group for a CRM instance:
Step 1: Create the group in Active Directory:
Step 2: After the group is synchronized to Office 365, log in to the Office 365 Admin Center as an administrator and then from the Admin menu, select CRM.
Step 3: Finally, edit the development organization instance in the CRM Online Instance Picker to use your Active Directory security group.