Power Platform Governance and Administration

Fail scenario:

Customer is using AAD as IDP and authenticate user accessing to Dynamics CRM on-premises.

When Edge profile signed in, CRM will use below wauth parameter "urn:federation:authentication:windows" to login with ADFS. It will generate a device token, which will override the original wauth paremeters, replace it with "urn:oasis:names:tc:SAML:2.0:ac:classes:Password", then you will get a ADFS error: "“Error details: Exception of type 'Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine. InvalidAuthenticationTypePolicyException"

Authentication flow on Edge:

1. The user connects to the app, redirects to ADFS, and selects AAD authentication.
2. During AAD authentication, the user directly completes the first-stage verification through PRT (Primary Refresh Token) and enabling the immediate initiation of Multi-Factor Authentication (MFA).
3. After the completion of MFA, the token is sent back to ADFS. However, since there was no validation through Windows Integrated Authentication (WIA) during this process, it does not align with the app's requirements.

Successful scenario:

In InPrivate mode, Edge and Chrome (without installed extensions) will not use PRT, so you won't encounter this issue.

Authentication flow on In-Private Edge:

1.         The user connects to the app, redirects to ADFS, and selects AAD authentication.

2.         During AAD authentication, the user enters their account information. After entering the account, due to being in a Federated domain, they are redirected back to ADFS for validation.

3.         Upon returning to ADFS, since the User Agent supports WIA (Windows Integrated Authentication), the Windows Integrated Authentication process is completed.

4.         After the completion of MFA, the token is sent back to ADFS. Because the ADFS authentication process utilizes WIA, it aligns with the app's requirements, resulting in a successful authentication.

Root cause:

Edge utilizes PRT for authentication by default because device is registered on AAD it will use a device token which will override the crm's wauth parameters.

Expectation:

Edge browser as Microsoft supported browser should work with CRM application in this scenario when device is registered on AAD for example make PRT consistently include the WIA by default.

Hi,

Query throttling can be very costly for customers and they may potentially lose revenue because of the system is purposely slowed down.

I would like to propose features related to query throttling:

1. Provide self-sevice dashboard or chart for customers/partners to monitor the DB performance for the past 30 days. This will help the customer/partner to take action in advance before the query throttling is activated.
2. Provide advance notification to customer/partner that a query may potentially slowed down by the activation of query throttling so that customer/partner can take preventive action.

The above two features can prevent potential lost of revenue for customers due to the activation of query throttling.

BR,

Fredy

When using "group teams" for ADD groups, users that enter the team (via their AAD membership) are assigned to the root BU. It would be very handy to link the users to the BU where the group team belongs to,

Eventuelly you could add a check box to enable/disable this behaviour if necessary. Then by default the user will still be assigned to the root BU but there is the ability to change this behaviour if needed.

For any questions please drop me an email on:

ralph.ummels@apg-am.nl

If we require to change the interval at which the Synapse Link syncs data to the data lake, we must destroy the the Synapse link and recreate it from scratch.

We then must take steps to reconfigure any dependent systems. For example if we have setup a 'Copy Dataverse To SQL' ADF pipeline, we must configure the event trigger, and ensure syncs to the Azure SQL DB continue working.

Idea: Pin activities to the timeline on a case/customer card, so that the activity is at the top of the timeline. In other words, highlight certain activites in the timeline, so that these are visible first.

Value received: communication with customers will become easier, and thus solving customer cases more efficient, since the customer service rep. will have important information more easily accessible to provide a more seamless customer journey.

I had a recent experience where a newly set up user merged with an old exited user - MS advised that this was because it had the same primary email address as the previous user; the 'fix' is to create a new user with different upn and email address; I have also noted whilst looking at this issue that CRM seems very random about updating feilds (still had old position description, which couldn't be updated because it was synced with AAD - except it is stale information, and does not update on refresh of user, sometimes change of email address will sync, sometimes not. Some way of unlinking synced users, or at least having reliable sync of attributes would be good.

It would be great if we could have an filter option to set if a organizational email template is displayed in the dialogue of insert email template while creating a new email or not.

For example I have a organizational template for the installed user language package English but I do not have an installed language package Arabic and I want to send out a current status update which is maybe not configured for all status changes.

Based on the primary contact whose preferred languages is arabic I may want to filter the templates by the preferred language and not by the language of the user. Maybe I am able to speak a language which is not installed and I want to use the email language, because for example I am a bilingual speaking person.

In addition to that I want to choose in the Email Template the User Language as well as the Customer Language and have the possibility to mark these email templates as automatic email templates which means that this template will not be shown per default in the insert email dialogue.

It would then be great if the User can filter by himself within the dialogue to Users language (same Option Set as current), customers language (Should be customizable e.g. if Language is on the Contact a Option Set or a Lookup) and show automatic email templates yes/no.

To make a long story short: Additional customizable Filter Criterias on the Dialog "Insert Email Template" would improve the user experience significantly.

Hi,

Currently, we are having the option of blocking adhoc subscription for the whole tenant with the PowerShell command:

Set-MsolCompanySettings -AllowAdHocSubscriptions $false

However, this setting affects the whole tenant. We should have another setting that allows users to block subscriptions only for specific users/groups.

In Azure Synapse Link for Dataverse, Tables of Dataverse are being synchronized to CSV files. We face issues when the data model of a Table changes.

Indeed, when a new column is added in a Table, only the new or updated records have the new column in the CSV file. Existing records do not have the new column in the CSV file.

Then, all lines in the CSV file don't have the same number of columns, which is not standard and makes the CSV file not readable by many tools and languages. The only solution to fix the CSV file is to remove the concerned Table from the synchronisation, and add it again.

This is also a bigger issue because Microsoft can deploy new fields on a Table at any time, and can do it in Production-type environments before Sandbox-type environments.

Then, we face unpredictable issues in the CSV files in Azure Synapse Link, that we can solve only after they happened, even in Production.

The idea is the following: when a new column in added in a Table synchronized in Azure Synapse Link: all records in the CSV file should be updated to use the new column, in order to have a standard CSV file accepted by all tools and languages.