This video by Dileep Singh https://youtu.be/4r3sl8oQkHg has some useful information on portal authentication.
Portal Authentication Models
The portal authentication model will fall into one of the following categories:
- Fully authenticated - no public pages, everything is behind a sign-in
- Fully anonymous - no private pages
- Mixed - most common, some public pages, some private pages, and even mixed content on a single page
Portal Authentication Methods
There a nunber of ways to authenticate portal users. They all use a Dynamics 365 contact record linked to an authentication provider on External Identity records linked to the contact record.
- Local username and password - stored on contact record. Not recommended for new work
- Azure Active Directory - use for internal staff for single sign-in with their Office 365 account, contact records are used for each staff member to store the authentication information.
- Azure AD B2C - a directory store to use for members of the public that you manage
- Social Providers - you can configure Portals to accept Facebook, LinkedIn and Twitter accounts
- OpenId Providers - any provider that confirms to the OpenId specifications
Azure Active Directory
According to Dileep's video, Azure Active Directory can be used for internal sign-in. There is a one-off registration process which creates a Dynamics 365 contact record and links the staff member's Office 365 id (which is an Azure AD account) to that record.
You can create contact records before staff try to register or you might already have contact records for your staff. To prevent the creation of new contact records, there are two methods:
- Create a portal site setting record, Authentication/OpenIdConnect/AzureAD/AllowContactMappingWithEmail and set the value to true. This allows a staff member to register on the portal using Azure AD and be connected to an existing contact record.
- Pre-create External Identity records linked to the contact. You need to provide two values on the record:
The Azure AD Guid for the staff member, you can get this from Azure AD
The identity provider URL for Azure AD, you can also get this from Azure AD. The format of the URL is : https://sts.windows.net/GUID. The GUID is the Directory ID which is found on the Properties settings for Azure Active Directory.
You also need to add the Azure AD Guid for the staff member to the Username field on the contact record
I haven't got the first method to work, but I have got the second method to work.