Restricting Access for Integrations to Microsoft Dynamics CRM Online Using the Non-Interactive Access Level

Colin Maitland, 08 July 2013

When integrating Microsoft Dynamics CRM Online with other systems, such as another Microsoft Dynamics CRM Organisation, an Enterprise Resource Planning (ERP) system, or any other system it is common to use either an in-house, partner, third-party, or Microsoft provided solution such as the Connector for Microsoft Dynamics.

It is best practice for certain integrations to use a dedicated User with the minimum access and the minimum privileges required to perform the tasks requested by such an integration. This may or may not include the ability to logon interactively or the ability to create, read, update, append/append to, assign, share, activate/deactivate and/or delete records or perform other actions. 

In this blog I will discuss the use of the Non-Interactive Access Mode for Microsoft Dynamics CRM Online to limit the ability for designated Users to Sign in to Microsoft Dynamics CRM Online interactively. 

Any User in Microsoft Dynamics CRM Online may be configured as a Non-Interactive User. 

Non-Interactive Users can only access Microsoft Dynamics CRM Online using the Web Services. The Web Services are available to applications written using the Software Development Kit (SDK) for Microsoft Dynamics CRM Online. Two examples include the Connector for Microsoft Dynamics and the Plugin Registration Tool. Other examples include Console, Windows Form, Windows Service and Mobile Client applications written by Microsoft Dynamics CRM partners and developers to perform specific integration tasks. 

Non-Interactive Users are not able to access Microsoft Dynamics CRM Online using either the Microsoft Dynamics CRM Web Client or the Microsoft Dynamics CRM for Outlook Client. They can however access Microsoft Dynamics CRM using third-party provided clients such as some of the Mobile Clients for Microsoft Dynamics CRM that are on the market. 

Microsoft Dynamics CRM Non-Interactive Users do not use a Microsoft Dynamics CRM User Licence. Microsoft Dynamics CRM Online does not permit you to have more than five Non-Interactive users per Organisation. If you attempt to exceed this limit the following error message will be displayed:

 

There are several methods by which a User can be configured as a Non-Interactive User. One of these methods is to simply use the Access Mode field on the User Information form in Microsoft Dynamics CRM Online to change the Access Mode for any selected user to “Non-interactive”.

 

The Non-Interactive Access Mode does not exist for Microsoft Dynamics CRM On-Premise deployments.

  

If you attempt to logon to Microsoft Dynamics CRM Online interactively as a Non-Interactive User, using the Microsoft Dynamics CRM Web Client the following error message is displayed:

  

If you attempt to Configure an Organisation using the Configuration Wizard as a Non-Interactive User to connect the Microsoft Dynamics CRM for Outlook Client to Microsoft Dynamics CRM Online the following error message is displayed:

 

If you are already connected to a Microsoft Dynamics CRM Online Organisation using the Microsoft Dynamics CRM for Outlook Client and the User is then subsequently changed to a Non-Interactive User you may then be able to view the Navigation Tree but attempting to access any items, such as Dashboards, will cause a Sign In page to be displayed.



 

Attempting to then Sign in as a Non-Interactive User results in the following error message being displayed:

 

The same message is also displayed if you attempt to logon to the Microsoft Online Portal, https://portal.microsoftonline.com, as a Non-Interactive User. 

However, if you attempt to connect to Microsoft Dynamics CRM using a custom integration tool or a third-party integration tool, such as the Connector for Microsoft Dynamics or the Plugin Registration Tool, as a Non-Interactive User you will be able to connect successfully. 

The following screenshots show a successful connection test using the Connector for Microsoft Dynamics:

 

The following screenshot shows a successful connection using the Plugin Registration Tool:

 

As previously mentioned, you will also be able to use other third-party tools, applications or clients such as some of the Mobile Clients for Microsoft Dynamics CRM that are on the market. 

In conclusion, the following is best practice for certain integrations: 

• Use a dedicated User Account for the connection to Microsoft Dynamics CRM. 

• For Microsoft Dynamics CRM Online set the dedicated User Account Access mode to Non-Interactive. 

Note: The Non-Interactive Access Level does not prevent access to Microsoft Dynamics CRM using any application or client that uses the Microsoft Dynamics CRM Web Services for connecting to and interacting with Microsoft Dynamics CRM Online.  

In my next blog I will discuss restricting access further using Security Roles.