Authentication and Identification
If Single Sign-On (SSO) is enabled, the Active Directory user is used and matched against the equivalent user in the Dynamics CRM system.
If the user is not matched or if SSO is disabled, the user needs to log into their Dynamics CRM accounts from the search page. This Dynamics CRM authentication is done under Account & Settings and Source Credentials.
Multifactor authentication issues
If some users cannot login through source credentials it is important to check the multi factor authentication in MsCrm settings. If the multi factor authentication is set to "Enforced" status, the user needs to login with his app password. This password is created when logging on to Azure (using the user@company.onmicrosoft.com form) or by a technician. The app password is then used instead of the usual password in Source Credentials.
The typical log entry for this error would be:
Exception caught:An unsecured or incorrectly secured fault was received from the other party. Inner Exception:System.ServiceModel.FaultException: Authentication Failure
For other related errors, check this link http://teameasi.com/blog/azure-ad-conditional-access-and-dynamics-service-connection-errors and perhaps investigate if legacy logon is allowed.
Identification
Scope: MsCrm_
Tokens: User read privileges
Security
Share Security
Not in use.
Document Security
Scope: MsCrm_
Tokens: Entity read privileges