In this tuturial you’ll learn how to expose a Dynamics 365 for Finance and Operations onebox (VHD edition) to the public Internet using a custom domain name. For example, the client URL becomes “” in stead of default URL “”.

“Why don’t you just deploy a D365FO Cloud Hosted Environment to Azure using LCS?” – I hear you say 🙂 .

Yep, that’s the most easy (and supported) way to expose a D365FO onebox to the Internet.

However, there are reasons why you would want to follow my tutorial below:

  • Deploy and run the onebox in an on-prem (preferably DMZ) or other Cloud environment (like AWS).
  • Keeping full control over the Azure deployment processes and governance. For example, being able to deploy only necessary resources using ARM or Blueprint templates.
  • Limiting the remote access to your LAN in stead of the Internet.
  • Sharing your development onebox with colleagues or the Internet.
  • Changing the default * client URL to your own corporate domain, like
  • Last but not least: just because you can! 😀

In other words, if you’re looking for an easy and Microsoft-supported way to deploy a onebox (dev/demo) to Azure and expose it to the Internet, stop reading and follow my other tutorial which guides you through all the required steps in LCS. Otherwise, keep reading 🙂 .


You’ll need to have:

  • A working and running onebox (VHD edition) of Dynamics 365 for Finance and Operations running in a hosted environment (Cloud or on-prem) of your choice.
    • Your onebox needs to be exposed on port 80 and 443 to the Internet, for example using NAT port forwarding.
    • Preferably host your onebox in a DMZ or behind a reverse proxy solution!
  • Global Administrator privileges to your Azure AD / Office 365 tenant, because you’ll need to create an Azure AD app registration.
  • DNS admin privileges on a public routable domain name (i.e., because you’ll need to create one or more DNS record(s).

Step 1 – Prepare domain

  • First, decide which (sub)domain URL to which you want to expose your onebox to, and make a note of it. In my tutorial it’s configured as:

  • Preferably use a root domain name from your Azure AD / Office 365 tenant which is connected to your onebox for log-in. I am referring to the domain name which you’ve entered in the Admin provisioning tool (step 3 in my VHD download tutorial).

  • Sign in to the DNS configuration panel of your domain provider and create a DNS record (type A), pointing to the public exposed IP address of your onebox. Contact your domain provider if you don’t know where to find the configuration panel.

    Below you’ll find an example in where I’ve used DNS zones in Azure.

    Set DNS record

Step 2 – Configure Azure AD

In this step you will create an Azure AD application registration. This is required to let Azure AD trust your custom domain name for application usage, like you will do with Dynamics 365. Skipping or misconfiguring this step will break any attempts to sign in to the Dynamics 365 client.

  • Sign in to the Azure Portal using an account with Global Administrator privileges and confirm if the portal is signed in to the appropriate tenant at the top left. This should be the tenant which holds the admin account you’ve entered in the Admin Provisioning Tool on the onebox desktop.

  • Navigate to the Azure Active Directory blade > App registrations.

  • Click + New registration at the top.

    New Azure AD app registration

  • Give it a descriptive name, and make sure to set the Redirect URI to the URL of your onebox.
    In my case, it is: .
    Also, set the supported account types to Accounts in this organizational directory only (Single tenant).


    Create D365FO app reg

    Finally, click Register at the bottom of the form.

  • After registering the app, a menu menu will appear which allows you to configure the app registration.

  • At first, make a note of the following data on the Overview panel. You’ll need these ID’s to modify a few config files on your onebox later in this tutorial:
    • Application (client) ID
    • Directory (tenant) ID


  • Switch to the Authentication panel, and make sure the settings match the ones you’ve configured during creation.

  • Switch to the API permissions panel and make sure to configure the following permissions:

    App reg permissions

  • Azure AD configurations are now complete.

Step 3 – Configure IIS config files

In this step you’ll modify a few IIS config files on your onebox to change the default client URL to your custom domain.

  • RDP to your onebox and sign in using the default Administrator account.
    User: Administrator
    Default password: pass@word1

  • Don’t forget to change the default password, especially when you’re exposing your onebox to the Internet.

  • Open Notepad (or comparable editor such as Notepad++) with Run as admin privileges, and open the following files in directory: C:\AOSService\webroot
    • web.config
    • wif.config

  • In web.config make the following modifications:
    • Search for Aad.Realm and change the spn id (containing alot of zero’s) to the Application (client) ID you’ve written down in previous step.

      <add key="Aad.Realm" value="spn:12f3d12d-df2c-123d-1c23-ac1f2b34a5a6" />

    • Replace the default client URL for your own custom URL at the following keys, which can be found in a random order through the config file:
      • Infrastructure.FullyQualifiedDomainName
      • Infrastructure.Hostname
      • Infrastructure.HostUrl
      • SoapServicesUrl

    • Make sure to preserve all prefixes and suffixes at each modified value.

      <add key="Infrastructure.FullyQualifiedDomainName" value="" />
      <add key="Infrastructure.HostName" value="" />
      <add key="Infrastructure.HostUrl" value="" />
      <add key="Infrastructure.SoapServicesUrl" value="" />

    • Check if the directory tenant ID on line 22 (key TenantDomainGUID) matches the Directory (tenant) ID you’ve written down in previous step. If it’s not, rerun the Admin Provisioning Tool on the desktop and enter a valid Azure AD account which is listed in your tenant.

  • In wif.config make the following modifications:
    • On line 8 you’ll find a key named add value=”spn:000……..” which refers to a Microsoft-managed directory tenant ID.
    • Change the ID (after spn:) to the Application (client ID) you’ve written down in previous step.

      <add value="spn:12f3d12d-df2c-123d-1c23-ac1f2b34a5a6" />

  • In make the following modifications:
    • On line 5 and 6 you’ll need to change the tenant name (, tenant id (spn) and client URL (on 2 places).

      Original code:
      <wsFederation passiveRedirectEnabled="true" issuer="" realm="spn:00000015-0000-0000-c000-000000000000" reply="" requireHttps="true" />
      <cookieHandler requireSsl="true" domain="" path="/" />

      Example modification:
      <wsFederation passiveRedirectEnabled="true" issuer="" realm="spn:12f3d12d-df2c-123d-1c23-ac1f2b34a5a6" reply="" requireHttps="true" />
      <cookieHandler requireSsl="true" domain="" path="/" />

  • Save all files.

Step 4 – Add IIS binding

  • Go to the IIS manager and add a binding to the website AOSService, pointing to your custom domain URL. Make sure to tick the SNI checkbox and select a random SSL certificate.
    Don’t change or remove the default binding.

    IIS binding

Step 5 – Create SSL certificate

  • If you already have a valid signed web SSL certificate which is applicable for your D365 client URL, for example a wildcard *, you can install it on the onebox VM and skip this step.

  • If you don’t have such certificate, follow steps below to use LetsEncrypt to generate a valid certificate.

  • In this tutorial we use WACS to leverage the LetsEncrypt certificate creation service.
    It’s easy and free to use, and also auto-configures IIS and scheduled tasks for periodic renewal.

  • Example:

    Generate certificate

    As you can see WACS has modified the AOSService binding and added the newly created SSL certificate. It also added a task in Windows Task Scheduler for auto renewal 😀 .

Step 6 – Testing

  • Open up a random browser and navigate to the new client URL. In this tutorial I’ve configured:

  • The Azure AD / Office 365 login prompt should appear.
    Log in using the same credentials as you have used in the Admin Provisioning Tool.
    The Dynamics 365 for Finance and Operations client should appear as displayed below.

    Dynamics 365 Finance Operations custom domain

You’re done! 😉

All steps above are tested successfully on the latest VHD version of Dynamics 365 for Finance and Operations. Please let me know if you encounter any issues by posting them below, or sending me an email. There might be a chance that this modification will also work on the Azure-hosted CHE version (Cloud Hosted Environment), however I didn’t test and there’s a decent chance that all links to LCS will break.

A small disclaimer

Please note that this domain modification is not supported by Microsoft and might break at any time during release of new application or platform updates. Also note you should never use an onebox for production purposes 🙂 .

Thanks for reading my blog!