Tip #1068: How to Grant Access to Organization Insights

Back in my first TOTD post, I sung the benefits of Organization Insights. It is truly the administrator’s best friend. But what if a non-administrator wants in on the action? It turns out that, by default, the only two Security Roles that can see the Organization Insights dashboard are the System Administrator and System Customizer roles. For others to see the dashboard, we must either give them one of these two roles (probably unwise) or tweak the role they have.

In this case the role tweak resides in a custom entity called ‘OrgInsights User Dashboard Definition’ which is in the ‘Custom Entities’ of the Security Role you want to adjust. Also remember that, depending on the graphic being shown, the Security Role may also need additional privileges to access the underlying data.

Tip #1067: When two groups say “We want to hide our stuff but see everyone else’s”

Generally my policy is unless there is a REALLY good reason, all data in CRM should be shared. However, on rare occasion, there is a REALLY good reason.

When you have one special group who want to hide their, say, Activities from everyone else, a well-placed Business Unit will do the job (either have one Business Unit above the other, or assign two different roles to the Users who are separated by two Business Units. However, when you have two special groups who want to hide their records but see the generally available records, things get trickier. A hierarchy of Business Units will not work because you can only have one parent Business Unit, not two. Also, Security Roles do not quite get us there because the Users can either see all records in the system or only theirs.

One option is to use a Team. The great thing about Teams is they belong to a Business Unit but Users from anywhere can be added and suddenly gain the benefits as if they were in the Team’s Business Unit. So, in our example, we could use three Business Units, all children of the primary Business Unit of the system; two for the special groups and one for the general population. We have one base Security Role for all Users which allows access to the Activities (or whatever entity is being restricted) in their Business Unit only. We then have a Team on the general population Business Unit with a role with the same privileges as the User role (but not the same role as per Tip 677).

As long as the special group Users get added to the team on creation (either via an automated process or as part of the process for adding new users), they get to see their records and the general populations but no one else’s.

Tip #1066: Discover Azure AD tenant ID with Occam’s razor

As developers, from time to time we are puzzled by simple questions:

How to discover Azure AD tenant ID based on Dynamics 365 organization URL?

Under the normal circumstances I would have put my condescending hat on (did I forget to take it off, again?) and say something like “Use AuthenticationParameters.CreateFromResourceUrlAsync method from ADAL, of course”. Except that in this instance the question was from the PHP developer working on a new version of php-crm-toolkit.

After asking some people, poking around with the irreplaceable Postman, and toying with the discovery API, etc, I’ve decided to adopt Occam’s razor approach.

Send this to the server:
GET /api/data/v9.0/ HTTP/1.1
Host: foobar.crm.dynamics.com

Get a 401 reply with this header:
WWW-Authenticate Bearer authorization_uri=https://login.windows.net/ede123e5-dead-beef-dead-7ee8d5807f08/oauth2/authorize, resource_id=https://foobar.crm.dynamics.com/

The header contains all that you need to perform the authentication dance. Incidentally, according to David “Xrm.Tools” Yack, this approach is exactly how AuthenticationParameters.CreateFromResourceUrlAsync does the discovery under the hood.

Tip #1065: How to get clean Customer Service trial

When Neil “Agile” Benson installed a new Customer Service trial, he got more than he bargained for: Trial Site Map Customization, FreeTrialBaseSolution2, Trial for Field Service, Trial of Microsoft Dynamics 365 for Project Service Automation, etc. And he didn’t select or want Field Service or Project Service Automation apps added either.

Why does the trial sign-up page (https://trials.dynamics.com/Dynamics365/Signup/service) ask what do you want to install and then ignore your request?

One might think that selecting None of the Above when asked during the trial provisioning would solve the problem and it does, but you don’t get access to Customer Service Hub or Sales Hub.

The steps to get the clean Customer Service trial that also includes new Unified Interface experience of the hubs:

  1. Start the trial. Unless you are Global Administrator, use admin trial signup and not your work email sign up
  2. Select None of the Above when asked what experience would you like
  3. Go to Dynamics 365 Administration Center, select instance, click Solutions
  4. Install required hub solutions
    Instance hubs

For differences between sign ups, managed vs unmanaged tenant, and how to become tenant admin, read Email Trial FAQs.

(Cover photo by Rick Mason on Unsplash)

Tip #1064: Another use for leads

Back in “Should you use the lead entity?”, Joel Lindstrom provided an excellent summary of when using Leads is a good idea and what their limitations are. I am not a huge fan of Leads for the excellent reasons he stated in that Tip. The last straw for me was in Dynamics CRM 2013 when they ‘improved’ the Lead conversion process and forced you to create an Opportunity. However, as Joel states, there are times when using a Lead makes sense, it is just not very often.

Thanks to The CRM Viking, Marius Agur Pedersen, I am now aware of at least one more reason to embrace Leads. This reason is the LinkedIn Sales Navigator.

The Sales Navigator is a powerful tool to the point that Microsoft use it in their promotional videos to sell Dynamics 365. Amongst other things, it allows you to search your extended LinkedIn network, using all manner of criteria, to find potential customers. There is integration with Dynamics 365 and this is where Leads come in. The integration between the products uses Accounts, Contacts, and Leads but NOT Opportunities.

If you are building a new Dynamics 365 system which will work with Sales Navigator or adding Sales Navigator to your existing sales processes, you will likely need to embrace Leads as part of your sale qualification process in Dynamics 365.

Tip #1063: Do not touch currency system views

This tip comes from Guillaume Domont. (And you can get your names into the Dynamics 365 History Book™ too by sending your tip to jar@crmtipoftheday.com.

Guest Microphone

I found a quite interesting bug in my last project.

As the CRM/Dynamics 365 is used worldwide, we had to handle the currency changes. The standard currency lookup view looks like this:

OOTB Currency Lookup View

The project architect in his clever thoughts designed this view to be more performant, i.e. remove every columns and just let the currency name:

Customized Currency Lookup View

We modified the currency lookup view and handed it over to the testers. After a few months, the testers came back to us and said: “Did you notice that the currency symbol is not updated?” (when you select a different currency – t.j)

Change currency breaks the symbol

So after a few weeks of the Premier Field Engineering support looking for the problem without any luck, I discovered that the OOTB currency lookup view has the currency symbol in it and that somehow Dynamics 365 is doing some magic tricks to collect that symbol and set the collected symbol in front of every money field on the form.

Lessons learned: never modify the currency lookup view 🙂

Tîpp Jäår

I lied virtualized the reality: Dynamics 365 History Book™ does not (yet?) exist. But you can check the work in progress and leave your comments on a very much real Dynamics 365 Book!

Tip #1062: When recompile is not enough

As was mentioned in the Tip 1058, the most simple and easy way to deal with TLS 1.2 in your code is to recompile it with .net 4.6.2+.

As David “Xrm.Tools” Yack discovered, it may not work for some of the existing projects. The issue is that, when the framework version changes in Visual Studio there is a secondary setting in web.config that can override that!

<compilation debug="true" targetFramework="4.7" />
<httpRuntime targetFramework="4.5.2" />

The httpRuntime target framework stays the same when you change the project settings – it has to be manually updated. If you don’t, then the project will really be running as 4.5.2 while deployed as 4.7. If your project tries to connect to Dynamics 365 version 9 (where TLS 1.2 is enforced), you will receive seemingly unrelated errors, and/or unexpected results from some function calls.

It’s the small things that bite you hard! – David Yack (c) 2018

Tip #1061: Hierarchical security rebuild

Dynamics CRM TipperWe have not done a mini truckstop for a while so it’s good to bag one at the beginning of the year.


It’s a first time for Greg “Stealth MVP” Olsen to ask the MVP crowd a question.

We have Hierarchy Security setup and working well for an enterprise customer, but not sure how long it takes to apply once we have saved the settings. During our testing it doesn’t look like it’s in real time or immediate.

Can someone inform me on what it does in the background technically and how long I should expect to apply?

There is a good article available, but it doesn’t inform the reader if its instant or takes X minutes/hours etc or what it is doing behind the scenes to set up the security technically.


Adam “First!” Vero does not have his truckstop nickname for nothing, leaving others no chance to answer.

A table called SystemUserManagerMap is built to store who reports to whom and at what level. Eg it will contain a row for Charlie (as the user) and Bob (his boss as “manager”) at level 1, and a second row for Charlie (the user) and Alice (Bob’s boss) at level 2, and a row for Bob > Alice at level 1.

By pre-building this table it should make actual queries much faster (than some horrible iterative query) especially for retrieve multiple – join from current user through this SystemUserManagerMap table (filtered by depth set in configuration) to the entity table to find all records owned by users somewhere in my reporting chain. (In reality it goes SystemUserManagerMap then SystemUserPrincipal table to find all records owned by users who report to you, plus owned by any teams they are in. Likewise through those to the POA table to find records visible to your reporting chain via shares).

If for some reason that table is not built, fails, takes too long etc then queries won’t work properly. From memory, the table is built to represent all depths of reporting (via manager or position depending on settings). Then if you change depth from say 3 to 5, the records already exist and the table is not rebuilt. The table is modified if you change a user’s manager/position (depending on which is in use). Changing from manager to position approach would cause a complete rebuild, as far as I can tell.

Microsoft Scalable Security whitepaper covers more detail: https://www.microsoft.com/en-us/download/details.aspx?id=45905

Tîpp Jäår

The download, even though slightly out of date, contains other useful whitepapers – make sure to study them after closing this window.

Tip #1060: Quickly create vector/SVG images for Dynamics 365

We have had several tips about icons in Dynamics 365. As Tanguy reminds us, if you want your icon to show in the unified interface sitemap, you need to use Scalable Vector Graphics (SVG) format.

Andrew Magnotta from Microsoft shares a tip about how he quickly creates SVG images for Dynamics 365.

Method Draw – Browser based .svg editor

The support for Scalable Vector Graphic (SVG) web-resources have been introduced in D365v9 and it looks like they’re here to stay as the new default for adding custom images (logos/icons) to your D365 instance. However, support for creating custom .svg images can be tricky with the everyday image editors you maybe accustomed to (ex. Paint.NET). I did a quick search and found a nice + free browser based vector creating site called Method Draw (http://editor.method.ac/). This site allows me to import a custom logo image from an standard format (jpg, png, etc.), quickly turn it into an SVG, and save it locally to import into D365:


  1. Set Canvas size – Depending on the intended use of the image (up to 400x50px for Theme logos or the standard 16×16 / 32×32 for entity icons).

2.       Set Background – Can be transparent or any HEX color

  1. Import Logo Icon (jpeg, png, etc…)

  1. Drag to Resize Image (auto adjusts size… which is nice!)

  1. Save file and import into D365 as .svg web resource

  1. Add to Theme and Publish

  1. Renders nicely in both Classic and UUI interfaces


Unified Interface:

Tip #1059: Enabling Tracking and Rating for Portal Pages

Two common requests for portal pages is enabling tracking (seeing who has gone to a page) as well as ratings for pages i.e. the ability to say if a page was useful or not. Rating can be found relatively easily under the options for a web page (log in to the portal as an Administrator, edit the page and go to options. However tracking a page (logging when a page is loaded on someone’s browser) is not as obvious.

My rule of thumb for the portal is, if in doubt, go to the record in Dynamics 365. The configuration record for a web page/entity form/web form should contain all of the possible settings (where else would they be?). Sure enough, if we browse to a web page record, we see the ability to enable these under the page options.

Rating puts a five-star rating on the page. This is most commonly used for knowledge article pages but, in principle it can be enabled anywhere on your site.

Tracking automatically adds a record to the Web Page Log entity every time an enabled page is visited. The IP address of the visitor is captured and, if they have logged onto the portal, it will also link the Web Page Log record to their Contact record.

Finally, for those looking for a bit more in-depth analysis, in the Content Snippet records, there is a Tracking Code snippet where you can add a tracking code e.g. Google Analytics and monitor your site that way.