Configure and Connect the Microsoft Dynamics API
Prerequisites
The following prerequisites are required:
- System Administrator access to a Microsoft Dynamics 365.
- Global Administrator access to Microsoft Azure.
- Administrator access to Skyhigh CASB.
Step 1: Create Custom OAuth Application in Microsoft Azure
To create a Custom OAuth Application, refer to Custom OAuth Application for Office 365 and Azure API Integration and check the following notes before you begin.
IMPORTANT:
DO NOT connect the Skyhigh CASB to Dynamics yet, we first need to complete the steps outlined below. Follow the Custom OAuth Application for Office 365 and Azure API Integration up until the Skyhigh CASB API Connection section, and then come back to this guide and complete the steps below.
- You can't enable API access for Dynamics 365 using the Office 365 Global Admin account. To enable API access for Skyhigh CASB, you need to create a Custom OAuth application within Azure application registrations as described in Custom OAuth Application for Office 365 and Azure API Integration.
- If you have already enabled Office 365 services such as OneDrive, SharePoint, Exchange, or Azure in Skyhigh CASB using the GA account, then you don't need to disable these connections. They can continue to use the access granted by the Global Admin.
- Make a note of the .pem file uploaded under Certificates and Secrets, later you can use the .pem file as the private key in Step 5. Also, make a note of the auto-populated Thumbprint ID located under Certificates and Secrets. Later, you can use this as Thumb Print in Step 5.
Step 2: Configure Global Audit Settings
To perform the following activities, you must have the system administrator or custom security role or equivalent permissions.
- Log in to the Microsoft Dynamics 365 account as admin or other equivalent roles.
- Go to Settings > Advanced Settings.
- On the Business Management page, select Settings from the menu.
- Under System, click Auditing.
- On the Auditing page, click Global Audit Settings.
- You are redirected to the System Settings dialog. Under the Auditing tab, configure the following:
- Under Audit Settings, activate these checkboxes:
- Start Auditing
- Audit user access
- Start Read Auditing. This option appears only when you activate Start Auditing.
- Under Enable Auditing in the following areas, activate all the entity types that you wish to apply DLP on.
- Under Audit Settings, activate these checkboxes:
- To view the listed types in each entity, hover over each entity type.
NOTE: Before you click OK, the Audit Entities type shows as disabled. After you click OK, go back to Global Audit Settings and the entity type shows as enabled as per the following screenshot.
- Click OK.
Enable Audit for Specific Entity
Global Audit Settings are common entities and part of Sales, Marketing, or Customer Service Entities. If you want to choose the other entities, then perform the following activities:
- Log in to the Microsoft Dynamics 365 account as admin or other equivalent roles.
- Go to System > Auditing and click Entity and Field Audit Settings.
- The Power Apps dialog opens. Under Entities, select an entity to enable audit. For example, to enable audit for Note, scroll down in the Entities panel, and click Note.
NOTE: To enable files in NRT, select the Note entity to enable it for audit. - Under the General tab > Data Services, activate the Auditing checkbox.
- Click Save.
Step 3: Create an Application User under Power Platform Admin Center
- Log in to Microsoft Office 365 and click the Power Platform admin center.
- Go to Environments section. Select and click your Dynamic 365 CRM/Dataverse environment.
- Click Settings.
- Select Users + permissions and click Application Users.
- On the Application users page, click New app user.
- On the Create a new app user dialog, configure these:
- App. Click +Add an app to list down all the apps that are registered under Azure Active Directory. Search and select your Custom OAuth application which was created in Step 1 and click Add.
- Business unit. Select the required Business unit from the list and click Create.
- App. Click +Add an app to list down all the apps that are registered under Azure Active Directory. Search and select your Custom OAuth application which was created in Step 1 and click Add.
- The newly created app is now added as an Application user for your environment.
Step 4: Create Security Role for the Application User
The following two security roles can be assigned to the Application User in Dynamics 365. You can either configure the application user to use a minimum permissions security role or for non-production environments Dynamics system administrator role.
Begin with any one of the following:
- Minimum Permissions Security Role (recommended)
- System Administrator Security Role (non-production environments only)
Minimum Permission Security Role
This is the recommended approach for production environments. You need to create a new security role and manually assign the permissions to all the corresponding entities you wish to scan using the ODS. If this is a sandbox environment, a shortcut is to use the System Administrator Security Role.
To create the minimum permissions security role and assign it to the application user:
- Go to Settings > Security.
- On the Security page, click Security Roles.
- On the Security Roles page, click New.
- By default, the Details tab is displayed. Enter a Role Name. For example, Skyhigh Security Application User.
- For the tabs such as Core Records, Marketing, Sales, Service, Business Management, Service Management, Customization, Missing Entities, Business Process Flows, Custom Entities, assign the Organization Key ( ) to all the entities listed in the tab with these privileges: Read, Write, Delete Assign, and Share.
- In the Customization tab, for Service Endpoint, click Create.
- In the Customization tab, for Sdk Message Processing Step, click create.
- Click Save and Close.
- Go to Settings > Security > Users.
- Find the Application User created in step 3 and click on it.
- Click MANAGE ROLES.
- On the Manage User Roles dialog, find and select the Security Role created above.
- Click OK.
Minimum Entities and Privileges Requirement
If you do not want to assign all privileges to the list of entities as discussed in Minimum Permission Security Role > point 5, then provide the Read-only privilege for the following three entities in the Customization tab.
- Entity
- Field
- Relationship
NOTE: When the above permission and entities are selected, the DLP Policy supports only the "Incident" response action. This response action can be seen while defining the DLP Policy for On-Demand Scan.
System Administrator Security Role
TIP: Using the System Administrator role is not recommended in a production environment. Please use the Minimum Permissions Security Role for production.
To assign system administrator security role to the application user:
- Click MANAGE ROLES.
- Under Manage User Roles, activate the System Administrator checkbox and click OK.
Step 5: Enable Skyhigh CASB API Connection
To complete the final steps of this guide, connect to Skyhigh CASB with your Dynamics instance. To enable API for Microsoft Dynamics 365 in Skyhigh CASB:
- Log in to Skyhigh CASB with your tenant and go to Settings > Service Management.
- Click Add Service Instance, and select Microsoft Dynamics 365.
- Enter a name for the instance and click Done.
- Select the Microsoft Dynamics 365 instance you created.
- Go to the Setup tab and under API, click Enable.
- On the Enable API page, click Provide API Credentials.
- Extract the data from the Manifest file found in the Azure portal under the Custom OAuth app created in Step 1 to enter the following details:
- Client ID is the appId from the Manifest. Looks like a UUID, for example, 543bd03b-cd6e-417d-b31b-871ba0ef44f1
- Private Key is the .pem file containing the private key which you created earlier (office365OfflineDlpKey.pem).
- Thumb Print is the customKeyIdentifier of the keyCredentials of Manifest (Manifest screen is shown above). Looks like a short, base64 encoded string, for example, 4BDBCCC84D81B29D1E6A6E0976A120275B393A7C
- Resource URL is the URL for the instance. Use your Dynamics custom domain. For example: https://<yourdomain>.crm.dynamics.com.
- Admin Email. To find your Admin Email:
- Go to Dynamics 365 > Security.
- Click Users and find the Application User created in Step 3. This displays the Application User’s information.
- Under User Information, make a note of Primary Email ID. This will be your Admin Email. Enter your Admin Email.
- Go to Dynamics 365 > Security.
- Click Submit.
- Once the API is enabled, a successful message is displayed. Click Done.
- You are redirected to the Overview tab. Now, you can see the enabled API Details.