A number of people encounter numerous technical hurdles and become frustrated with the lack of documentation available. On this blog post I will go through step-by-step on how to configure the Outlook App for an On-Premise environment, we will configure the following components:
- CRM OAuth Configuration
- Exchange Profile
- ADFS Configuration
- Pushing the Outlook App to users
- Dynamics 365 with IFD
- Dynamics 365 Update 2.2
- Minimum ADFS 3.x due to OAuth endpoint
- Minimum Exchange 2016 or 2013 with Cumulative Update 14 or greater
- Office 2016 (recommended) although Office 2013 also works fine
How the Outlook App works?
The Outlook App it's an add-in installed on a user Exchange Mailbox. Exchange add-ins have been introduced with Cumulative update 14 for Exchange 2013.
The Outlook App add-in is pushed to the user Mailbox from CRM, no Exchange Server-side configuration or installation is needed, it's all done from CRM. The service account used for Exchange Synchronization requires impersonation rights in order to successfully install the add-in on the user Mailbox.
Minimum Exchange configuration:
- Exchange Server version 15.0.1236.3.32 (Cumulative Update 14 for Exchange Server 2013)
- Exchange 2016
CRM OAuth Configuration
The Dynamics Outlook requires OAuth configuration, on the CRM server execute the following powershell commands:
$ClaimsSettings = Get-CrmSetting -SettingType OAuthClaimsSettings
$ClaimsSettings.Enabled = $true
Set-CrmSetting -Setting $ClaimsSettings
CRM Exchange Setup
Please refer to my previous blog post on how to configure Exchange Server Side synchronization here: http://quantusdynamics.blogspot.co.uk/2013/11/dynamics-crm-2013-configuring-exchange.html
We need to ensure the Outlook App ID is registered with ADFS to allow OAuth authentication to succeed.
First we need to retrieve the Outlook APP ID from CRM, you can access this information on the Settings Menu > Dynamics 365 App for Outlook
you will see the following screen:
Run the following command on the ADFS server:
Add-AdfsClient -ClientId YOUR_ID -Name "Dynamics CRM Outlook Client" -RedirectUri https://my_CRM_domain/crmmailapp/code_auth.aspx
ADFS 4.x (windows server 2016)
If you are using ADFS with Windows server 2016, in addition to the above steps, you also need to grant permissions to the Outlook App, please run the following command in powershell:
Please note the domain used here, is the IFD authentication CRM URL, usually named authcrm.domain
Grant-AdfsApplicationPermission -ClientRoleIdentifier YOUR_APP_ID -ServerRoleIdentifier "https://authcrm.domain.com” -ScopeNames openid
ADFS Authentication Providers
Forms based authentication is required to be enabled on the intranet zone. Open the ADFS management wizard.
Click Authentication Policies > Primary Authentication > Global Settings > Authentication Methods > Edit.
Click Forms Authentication on the Intranet zone.
Installing the Outlook App
As I've mentioned earlier, the Outlook App is installed on the user mailbox from CRM. There are two methods to push the Outlook App to the user mailbox:
- User manually pushes the Outlook App
- Administrator pushes the Outlook App from administration panel
On this Page if the CRM user profile is correctly set up with Exchange Server-Side Sync, you should see a blue button to add the Outlook App, as per the below screenshot.
Clicking on the Outlook App Button, starts the process on the background, the user will see the below message:
To push the Outlook App to multiple users, access the Settings menu > Dynamics 365 App for Outlook
The Eligible users section will only list users where the Exchange Server Profile was set up and the incoming and outgoing settings are set for Server-Side Exchange Synchronization, please refer to the below screenshot:
After the user Mailbox is correctly configured, you need to Test & Enable the Mailbox
Check the Dynamics 365 App for Outlook Settings Menu, the account is now visible on the Eligible Users, click Add App for Outlook, the status will change to Pending... this may take up to 2 minutes to complete, depending on your infrastructure.
When the app is successfully pushed to the user mailbox, you will see a green message: Added to Outlook
Internet Explorer Settings
The CRM domains need to be added to the Trusted Sites and Protected Mode needs to be enabled
If you come across multiple authentication pop-ups try to enable anonymous authentication:
Run inetcpl.cpl and click on OK.
- Go to Security Tab. Click on Trusted Sites lower the security level to Low
- Enable Protected Mode
- Add both the internal and external CRM domains “https://crm.domain"
- Click on custom level and scroll down to user authentication section, select anonymous logon and save changes.