Jason Nguyen

With the Power Platform and registering webhooks with the plugin registration tool we are given not many options for authentication. We are currently using the Authentication of “Webhook Key” as per the plugin registration tool. It does not satisfy the policy when turn on Authentication on the Function App.

This Function Apps need to compliant with CIS Microsoft Azure Foundations Benchmark 1.4.0. Part of that, for function apps is to satisfy the policy as defined in this link https://learn.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-4-0#9-appservice, and this policy https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc75248c1-ea1d-4a9c-8fc9-29a6aabd5da8

Fail scenario:

Customer is using AAD as IDP and authenticate user accessing to Dynamics CRM on-premises.

When Edge profile signed in, CRM will use below wauth parameter "urn:federation:authentication:windows" to login with ADFS. It will generate a device token, which will override the original wauth paremeters, replace it with "urn:oasis:names:tc:SAML:2.0:ac:classes:Password", then you will get a ADFS error: "“Error details: Exception of type 'Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine. InvalidAuthenticationTypePolicyException"

Authentication flow on Edge:

1. The user connects to the app, redirects to ADFS, and selects AAD authentication.
2. During AAD authentication, the user directly completes the first-stage verification through PRT (Primary Refresh Token) and enabling the immediate initiation of Multi-Factor Authentication (MFA).
3. After the completion of MFA, the token is sent back to ADFS. However, since there was no validation through Windows Integrated Authentication (WIA) during this process, it does not align with the app's requirements.

Successful scenario:

In InPrivate mode, Edge and Chrome (without installed extensions) will not use PRT, so you won't encounter this issue.

Authentication flow on In-Private Edge:

1.         The user connects to the app, redirects to ADFS, and selects AAD authentication.

2.         During AAD authentication, the user enters their account information. After entering the account, due to being in a Federated domain, they are redirected back to ADFS for validation.

3.         Upon returning to ADFS, since the User Agent supports WIA (Windows Integrated Authentication), the Windows Integrated Authentication process is completed.

4.         After the completion of MFA, the token is sent back to ADFS. Because the ADFS authentication process utilizes WIA, it aligns with the app's requirements, resulting in a successful authentication.

Root cause:

Edge utilizes PRT for authentication by default because device is registered on AAD it will use a device token which will override the crm's wauth parameters.

Expectation:

Edge browser as Microsoft supported browser should work with CRM application in this scenario when device is registered on AAD for example make PRT consistently include the WIA by default.

As we know Power Platform connection/link isn't reversible once the integration between the two systems is done. Disconnecting them would result in data loss as we only have the delete both instance option.

Given the scenario that, we are not able to refresh the data only in CE but not in FnO side. There is no reset option in PPAC as mentioned. The work around is having another CE available environment which we can use to perform a restore and get the desired result for the target CE environment.

Power Apps grid control should supports adjusting line sequence by drag and drop to enhance user experience.

Referring to this: https://pcf.gallery/flexible-ordering-grid/

Issue:

-Cannot retrieve Retained data of Activity such as email, message, note while using edit filter in Activity view due to nature of Activity table. The query normally uses link-entity element to retrieve corresponding data in another table.

-Error message: The link-entity query is not supported.

-Current limitation: Queries are allowed on one table at a time. Joins and aggregation functions aren't allowed.

-Ask: The option to view retain data there should be hidden to avoid confusion for regular users. Or the current warning message should be more meaningful to user.