Portal Security Authentication and Authorization – Quick Reference Guide


Local Authentication (Not Recommended by Microsoft)

  • Contact record configured for Portal access
  • Invite enabled access (configurable)
  • Username & Password stored in CRM. Password is encrypted
  • Password Recovery & Reset
  • Email address confirmation & Two-factor authentication via email (optional)
  • Lockout in case of multiple failed login attempts (configurable)

External Authentication

  • Contact record configured for Portal access
  • No-code configuration approach for setup
  • Implemented via ASP.Net Identity API framework  (OpenID Connect or OAuth or SAML based providers)
  • Invite enabled access (configurable)
  • Password managed by 3rd party identity provider (Yahoo, Google, Twitter, Facebook, Microsoft, Yammer, LinkedIn etc)
  • Multiple external identities can be configured. Users can login with any of the accounts (depending on configuration)


Web Roles

  • Controls access to the Portal
  • Users can have 1 or many roles. (roles are additive)
  • An administrator can define custom roles
  • An administrator can define a default role, which will automatically available to a logged-in user (even if the contact has not been assigned any web role)

Entity Permissions

  • Enables record-based security.
  • Handles scope (global, parental, account, contact) and permissions (read, create, write, delete) for data surfaced on the portal

Web Page Access Control Rules*

  • Restricts access to Portal Web Pages

Content Access Level

  • Provides an additional layer of security for Knowledge Articles (e.g. : Default, Registered Users and Premium Users)

Publishing State Transition Rules

  • It provides an additional layer of security for managing content on the portal.

Forum Access Permissions

  • Provides an additional layer of security for viewing and/or moderating Forums

Website Access Permissions

  • Permissions for enabling front-side editing of portal content (e.g. : Managing site navigation, content snippet etc)

Liquid Templates

  • Custom code using Liquid can be used to cover scenarios not achievable using above.

Other Security Features

IP Address Restriction

  • Restrict access to the portal via IP address

Enable maintenance mode

  • Disable portal access when the portal/CRM is under maintenance
  • Display a customized page to notify the user

GDPR Implementation

  • Several configuration options available for GDPR compliance

Also, read Dynamics 365 Portals Authentication – Options and Features