Version 2.1.23 of the Warehouse management mobile app is a big one. Next to some general fixes and improvements, a new Device code, Username, and password authentication methods are added, together with single sign-on (SSO) support. With that, the current authentication methods (Client secret and Certificate) will be deprecated on 15 July 2024, so be ready for the change, and even better, use the time to test the new methods.
The main reason for the change is security, but it does feel that simplicity is also a part of it (no more managing of the certificates and the client secrets getting lost). With the novel approach, only one app registration should be needed for all your environments, as the connection and authentication are user-based. Instead of managing the connection details, you now manage the users. Next, when using SSO, the Default user can be specified for the worker, meaning you can automatically log in to the desired worker in D365.
First, let's cover licensing. Essentially, there are no changes to the licensing model. Every person using the warehouse mobile app function must either have the user license assigned to them personally or by using a device with a license. The authentication method does not impact this requirement. But no matter which of the two new authentication methods you use, an Entra ID is required, which means we can think of this in two ways:
- One Entra ID user per warehouse worker (user license)
- The Entra ID and the D365 Warehouse worker records are now linked, and logging in is faster.
- Workers can skip the D365 Worker username/password if the Default user is selected in D365.
- The username and password authentication method should be used.
- You can use the device code authentication method.
- The log-in experience can be streamlined.
- One Entra ID user per device (device license)
- Essentially working as before with the device license.
- Warehouse workers will have to log in every time.
- Cannot use Default user
- Use the Device code authentication method (and store the 'shared' Entra ID password somewhere).
- Use the Username and password authentication method to manually enter the Entra ID username and password.
In both cases, we create one Warehouse worker record for each employee, and within that, one or more User IDs for logging in (in the Warehouse worker). But let's explore this in more detail.
With Device code flow authentication, upon connecting, the Warehouse management mobile app generates and shows a unique device code. This code must then be entered into a new online form with the user credentials (name and password) for the relevant Microsoft Entra ID. With this method, the Entra ID user can represent a device itself or the person signing in, depending on the setup. The device code connection must be executed when a new worker logs in. This authentication method is not fully supported by the mass deployment yet and does not support SSO log-in.
The Username and password authentication method enables the mobile app to use the Entra ID account for authentication directly in the app itself. The worker can enter their account username and password to establish the connection. This can be further streamlined by utilizing the Single sign-on (SSO), thus removing the need to enter a password every time. When using SSO, the device will remember you for 90 days (the default Entra ID setup) or until logging out manually (including other MS products linked to your account). Note here that vice-versa principle applies, meaning logging out of other MS products with SSO will log you out of the MD as well.
A general note on the 90 days, applicable to both authentication methods. The device itself does not store any passwords at all. It only preserves a refresh token for 90 days which allows it to get a new short lived authentication token and the refresh token again. This is done at every launch, so each launch of the app extends the validity (sign-in) for 90 days. It means that if you use device each day or at least once for 90 days, your device will never lose authentication. In short, the 90 days count is refreshed every time you log-in as that is also refreshing the token itself.
The real beauty of these changes lies in the new Default user parameter on the Work users form. When this is enabled, the log-in process will skip the logging requirement for the warehouse worker so that after entering your Microsoft Entra ID details, you are taken directly to the menu.
Now, to the practical part. Read the following two step-by-step instructions on creating the necessary connection setup and the SSO log-in.
In essence, we must:
- Create the web service application in the Azure portal.
- Set up the mobile device user account in D365.
- Set up the SSO, if desired.
- Set up the mobile device and log in.
Entra ID application registration
The first part, creating the Entra ID application, remains unchanged. But additional items must be configured later.
If you already have the web service app created (i.e., you are already live and operational or in a similar situation), you can reuse your Azure web service app. In that case, start at point 7 of this guide (by previously selecting the correct app from the list). If you recycle the existing app, the old authentication method will not work anymore, so make sure this is planned accordingly. We recommend creating a new one and using it in parallel until you can confirm it works well and eventually move to the new way of working.
The official MS guide (without screenshots) can be found here.
- Log in to the https://portal.azure.com/
- Select the Microsoft Entra ID section
- Select App registrations on the left pane
- Select New registration
- Add the web service app details and Register it
- Name
- Select Accounts in this organizational directory only option
- Once done, copy and save the Application (client) ID
- In the left pane, under the Manage section, select Authentication. Change the Enable the following mobile device flows parameter to Yes. Save that.
- On the same page, select Add a platform and select Mobile and desktop applications.
- In the following dialog (Configure Desktop + devices), enter the following and Configure
- Custom redirect URIs: ms-appx-web://microsoft.aad.brokerplugin/S-1-15-2-3857744515-191373067-2574334635-916324744-1634607484-364543842-2321633333
- Custom redirect URIs: ms-appx-web://microsoft.aad.brokerplugin/S-1-15-2-3857744515-191373067-2574334635-916324744-1634607484-364543842-2321633333
- OPTIONAL: The Authentication page now shows this new platform. You should select the Add platform again if you're using Android devices. From the next sub-form, select Android and enter the following:
- Package name – com.microsoft.warehousemanagement
- Signature hash – hpavxC1xAIAr5u39m1waWrUbsO8=
- OPTIONAL: If by any chance you are using iOS devices, select the Add platform again, choose iOS/mac OS, and enter:
- Bundle ID - microsoft.WarehouseManagement
- Bundle ID - microsoft.WarehouseManagement
- Back at the main screen, select API permissions under the Manage tab on the left. Select Add a permission and choose Dynamics ERP in the sub-page.
- On the next page, select Delegated permissions and thenFullAccess. Confirm by pressing Add permission on the bottom.
- Go back to the main portal.azure.com page and select the Microsoft Entra ID; on the left pane, select the Enterprise applications, search for your new app, and select it.
- In the Manage left pane, select Properties, set the below values, and Save it.
- Assignment required – Yes
- Visible to users – No
- Again, in the Manage tab on the left, select Users and groups and Add user/group.
- In the following page, select the link under Users and groups (before any users are assigned, the link should say None selected). Add the users or the groups and save by pressing Select. After that, you must also press Assign on the previous page.
- Select the users or groups for which you want to enable the authentication / mobile app. This might be individual users (persons, in case of worker-based licensing) or the device(s) itself (in case of device-based licensing).
- This is also where you can revoke access from specific users or groups later.
- You should have been taken to the Users and groups page, where you can see the added users. On the notifications page, you should be able to see the following items, ensuring you did everything right.
Set up mobile-device user account in D365
This part is slightly changed. The Application (Client Id) is not required to be created in the D365 anymore. All you have to do is create a user that corresponds to the user credentials for the Warehouse management mobile app.
For example, if I want to log in, a user with my email must be created in D365 and added to the web service application in the Azure portal.
Utilize the Single Sign-On (SSO)
SSO enables users to sign in without entering their password and applies only to the Username and password connection type. It works by reusing the credentials from the Intune company portal or Microsoft Authenticator, just like any other app or service with enabled SSO.
Before enabling the SSO, the steps from the Connection details must be performed. Further, depending on your connection configuration, you must do one of the two:
- Manual configuration – in the WMS app, enable the Brokered Authentication option.
- JSON or QR code connection – you must include "UseBroker": true in your JSON file or QR code. This will set the Brokered Authentication parameter in the MD to Yes.
As a result, the Brokered Authentication field in the connection setup should be Yes. If this is disabled, the user will have to log-in every time.
The Warehouse management app log-in process
From WHS app version 2.3.3.0 (June 2024), the Entra Id Application is no longer needed. Instead, Azure Global Cloud is used and the validation occurs automatically.
Device code
- Set up the MD connection details
- You are presented with the device code. This is uniquely generated for every call.
- Open the website from the mobile app, enter the code, and press Next
- In the next screen, select the account you want to use for logging in and enter the password.
- This is where the Device-based license would require the same account.
- After entering the password, you will be asked for the 2-FA authentication if set up by your organization.
- Upon the first sign-in, you must also confirm the Permission request. This is something the administrator would most likely perform.
- You are now signed in the Warehouse mobile device.
See this in action below:
Username and password
- Set up the MD connection details
- On the pop-up, enter your account details. Continue with the password and 2FA confirmation if required.
- You are now logged in.
- Upon the next log-in, I only have to select the Entra ID username (myself), and the SSO will take care of the sign-in process.
- By default, this lasts for 90 days of inactivity.
See this in action below:
Conclusion
The two new authentication methods bring standardized Microsoft log-in process look and feel to the Warehouse management mobile app. It's best to use the time left to test and prepare for the obligatory switch in July 2024. Here are some tips for everyone using the app:
- Review the licensing model in place (device vs personal).
- Review the number of web service applications in place currently and use that to plan the move the Production, either by:
- Creation of new web service apps
- Recycling of the existing web service apps
- Create a new web service app for your test environments and have your super users test it during the next test cycle.
Move gradually to Production environment, ideally before the Microsoft deadline. Our recommendation would be to create new web service apps, use both during the transition period, and once confirmed, remove the old ones eventually.
Useful links
- Microsoft FAQ on the topic - User-based authentication FAQ - Supply Chain Management | Dynamics 365 | Microsoft Learn
- Mass deployment via Intune, step-by-step guide - Mass deploy the mobile app with user-based authentication - Supply Chain Management | Dynamics 365 | Microsoft Learn
Happy testing!
Update log
July 8th, 2024
- Updated for App version 2.3.3.0 - Entra Id application is not required anymore.
February 22nd, 2024
- Updated 'web service application' to be 'Entra ID application' for clarity.
- Clarified that the sign-out happens after 90 days of inactivity and not after the log-in. Every log-in refreshes the token and 90 days start counting again.
- Added videos to show the log-in experience.
- Added more links to relevant Microsoft documentation.