When you deploy a machine with the new Microsoft Dynamics AX on Azure or download a virtual machine, the environment contains users with restricted rights. In previous versions of Dynamics AX you could directly use the Contoso users for your demonstrations to show what it looks like when a user has only certain roles assigned. In Microsoft Dynamics AX you will receive an error when the user is not recognized in your own tenant. This post will tell you how you can use the Contoso personas within your own environment without creating new demonstration users in your own Azure Active Directory.

Contoso personas

When Microsoft created the Contoso demonstration company, they also did investigation which personas would be working in the fictional company. So users and example roles are provided as outcome. When you look at the current demonstration database there are some users like:

  • Charlie Carson : Chief executive officer
  • Susan Burk: Sales clerk
  • Tim Litton: Information technology manager

ContosoPersonas

When you login as one of the Contoso employees the number of functionality is limited, meeting the permissions of this user and demonstration is more smoothly. The audience will not be overwhelmed by all possible functionality, but can focus on the process being demonstrated.

However when you run Microsoft Dynamics AX on your own tenant, login with a Contoso user is not working. Even when the user is enabled. You have to change settings on the users to be able to activate them running in your environment.

Activate Contoso users

Update: The users on the contosoax7.onmicrosoft.com tenant are not available anymore. You can actually use users from your own Azure AD. Replace the Alias field with the email address of one of your own users. Continue to read this blog as it still contains valuable information.

Microsoft Dynamics AX is using Azure Active Directory for user authentication. Where you could setup a federation and have claims based users in Microsoft Dynamics AX 2012, you can now setup any user in your Microsoft Dynamics AX environment. There is only one rule. If the users does not belong to your Azure tenant, you have to specify the domain from the third party within the Domain field of the AX user.

Contoso personasBy default the value in this field is https://sts.windows.net/. To have a third party user activated you need to add the domain behind this value. In this example this is contosoax7.onmicrosoft.com. So the full domain should be filled with the next value: https://sts.windows.net/contosoax7.onmicrosoft.com. When you save the user record, AX will also retrieve the Identity provider and a correct SID value. This will also work with any other third party domain when the users are setup as user in an Azure Active Directory.

Now you are able to start Microsoft Dynamics AX using the credentials from e.g. Susan. Open a browser and use the next credentials:

Username: susan@contosoax7.onmicrosoft.com
Password: Pass1Word

Note that some Contoso users might have other passwords. The most are setup using the password as mentioned above. The workspace and available menus will now look like the screenshot below for the sales clerk. You can notice that the default dashboard already contains less options. The same is valid for the main menu compared with system administrator rights.

Contoso personas

There is more…

Changing about 80 Contoso users for the Domain field is a bit of a boring job. It can take some time to complete this task. To help myself I created a runnable class which will update the Contoso users to have the correct network domain filled as well as 2 related security fields. With the help of Visual Studio you can also implement this coding to update the values for the users in the current partition. Below I will share you these details. Note that using this code is at your own responsibility. Prevent changing users from your own domain. Wrong information in the user table might lock out those users.

In the next example I’m assuming you have an extension model created. A reference to the Application Platform and Application Foundation model are required. You have to create a new project and add a new item based on a Runnable Class. A runnable class is the replacement for the Jobs which were implemented as scripting tools in the previous versions of AX.

Contoso personas

I named it ActivateContosoPersonas. In the code editor, type the next coding:

class ActivateContosoPersonas
{        
    /// <summary>
    /// Runs the class with the specified arguments.
    /// </summary>
    /// <param name = "_args">The specified arguments.</param>
    public static void main(Args _args)
    {        
        AxaptaUserManager   manager = new AxaptaUserManager();
        UserInfo            userInfo;
        xAxaptaUserDetails  userDetails;
        var                 contosoTenant = "contosoax7.onmicrosoft.com";
        ttsbegin;
        
        userInfo.skipAosValidation(true);
        while select forupdate userInfo
        {
            if (strContains(userInfo.NetworkAlias, contosoTenant) && !strContains(userInfo.networkDomain, contosoTenant))
            {
                userInfo.networkDomain += contosoTenant;
                UserInfo.IdentityProvider = Microsoft.Dynamics.AX.Security.AuthenticationCommon.AadHelper::GetCanonicalIdentityProvider(UserInfo.networkDomain);
                userDetails = manager.getSIDFromName(UserInfo.networkAlias, UserInfo.IdentityProvider, UserInfo.accountType);
                userInfo.sid = userDetails.getUserSid(0);
                userInfo.update();
            }
        }
        ttscommit;
    }
}

Then save the changes. You have to set the new runnable class as Startup Object. Then you can build and run the solution. When everything is compiled correctly, this runnable class will open an Internet browser and show you when the code is complete.

Contoso personas

Now all users are migrated to be able to log on to Microsoft Dynamics AX. Note that some users might have other passwords setup. Also I don’t have information if and when the users will be retired from Azure Active Directory by Microsoft. But in the meantime (hopefully will last forever)… Enjoy!

Please share your thoughts and experiences in the comments below.

That’s all for now. Till next time!

26 replies
  1. Sohaib
    Sohaib says:

    Hi André ,
    Is RTW version allowing to login with Domain contosoax7.onmicrosoft.com .?
    I have downloaded RTW Version but haven’t installed yet. I think previous version like CTP8 is not allowing to use domain contosoax7.onmicrosoft.com, we are using our own 365 subscription.

    Reply
    • Paul
      Paul says:

      Thanks André for sharing! And to answer Sohaibs question: Yes the code and the contoso personas also works in RTW.

      Reply
      • André Arnaud de Calavon
        André Arnaud de Calavon says:

        Hi Paul,
        Thanks for reading the blog and verifying the code. I’m glad it also works for you.

        Reply
    • André Arnaud de Calavon
      André Arnaud de Calavon says:

      Hi Sohaib,
      Just because you have to use your own tenant (365 subscription), initially the Contoso users cannot be used as they are not part of your own tenant. So this is the way to “activate” them. In fact for all CTP versions and RTW you have to use your own tenant. The code is written based on the RTW version. I have not tested it on previous CTP builds.

      Reply
  2. James Terrington
    James Terrington says:

    Hi Andre

    Just trying to access with multiple users in an AX7 Virtual Machine on my pc.

    I have used the Admin Prov. Tool to get my account to access and it works – great.

    But have not been able to able to setup standard Contoso users like CHARLIE to work in the VM (in combination with my user).

    Do you have any suggestions?

    Reply
    • André Arnaud de Calavon
      André Arnaud de Calavon says:

      Hi James,

      Thanks for reading the blog. To be honest I don’t understand exactly what you are trying to achieve. Do you want to link the worker CHARLIE to your Admin user account?

      Reply
  3. Raman
    Raman says:

    Hi Andre,

    We are on a AX 2009 on-premise environment. Today, we have users from just one network domain. We have multiple network domains in the company. What is involved in adding users from other network domains.

    Thanks.

    Reply
  4. Anna Svantesson
    Anna Svantesson says:

    Hi André,

    In update 4 the default domain has changed to https://sts.windows-ppe.net/ and all users have email addresses on taeofficial.ccsctp.net (like CLAIRE@taeofficial.ccsctp.net) instead of contosoax7.onmicrosoft.com. I have tried setting up different values for users and logging in, but with no success. I get the error message at login that this user does not exist. Any ideas on how to log in with different users in update 4?

    Thanks,,
    Anna

    Reply
  5. Jan van Maanen
    Jan van Maanen says:

    This worked perfect, but the passwords have been changed.
    Does anyone know the new passwords?

    Kind regards,
    Jan van Maanen

    Reply
    • André Arnaud de Calavon
      André Arnaud de Calavon says:

      Hi Jan,

      Unfortunately, I don’t know if there are new passwords or if the users have been disabled by Microsoft.

      Reply
  6. Antony Robinson
    Antony Robinson says:

    Hi Andre,
    I’ve been using Susan for some time now as I find it invaluable for testing security settings, however some time in the last couple of weeks, I’ve been unable to login with any of the contoso users, do you know if they’ve been disabled for some reason?

    thank you
    Antony

    Reply
    • André Arnaud de Calavon
      André Arnaud de Calavon says:

      Hi Antony,

      I think Microsoft did change their demo users. The domain is different now. Also the password might have been changed or indeed the user can be disabled/removed by Microsoft.

      kind regards,

      André

      Reply
      • Søren Andersen
        Søren Andersen says:

        Did anyone figure out the new password for the users, or do we have to create new users in our own AAD?

        Reply
        • André Arnaud de Calavon
          André Arnaud de Calavon says:

          Hi Søren,

          At this moment it would be the best to create own users in AAD. You can then change the email on existing users or create new users.

          kind regards,

          André

          Reply
  7. Søren Andersen
    Søren Andersen says:

    It HAS to be on a new DEMO AAD? so the adresses are always @….onmicrosoft.com?

    Reply
    • André Arnaud de Calavon
      André Arnaud de Calavon says:

      Hi Søren,

      It can be any AAD. The suffix .onmicrosoft.com is not required.

      kind regards,

      André

      Reply
  8. Søren andersen
    Søren andersen says:

    And then it should be possible just to change the Provider to e.g. Axsoft.dk nad then change the users email i D365?

    Reply
    • André Arnaud de Calavon
      André Arnaud de Calavon says:

      Hi Søren,
      If the deployment and admin account are running on this domain, you can just run with the setting ‘https://sts.windows.net/’. Otherwise you need to add the domain behind this part.

      kind regards,

      André

      Reply
  9. Søren Andersen
    Søren Andersen says:

    Thanks it worked… I changed the Provider field to my domain and that was a mistake… chaning it back to ‘https://sts.windows.net/’. did the trick… users from another domain works if I put their domain after the provider.: ‘https://sts.windows.net/Anotherdomain.dk’

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *