Breaking news from around the world
Get the Bing + MSN extension
Now Available in Community - MBAS 2019 Presentation Videos
Catch the most popular sessions on demand and learn how Dynamics 365, Power BI, Power Apps, Power Automate, and Excel are powering major transformations around the globe. | View Gallery
2019 release wave 2 Discover the latest updates and new features to Dynamics 365 planned through March 2020
Release overview guides and videos Release Plan | View virtual launch event
Ace your Dynamics 365 deployment with packaged services delivered by expert consultants. | Explore service offerings
Connect with the ISV success team on the latest roadmap, developer tool for AppSource certification, and ISV community engagements | ISV self-service portal
The FastTrack program is designed to help you accelerate your Dynamics 365 deployment with confidence.
FastTrack Program | Finance TechTalks | Customer Engagement TechTalks | Talent TechTalks | Upcoming TechTalks
We are trying to make a call to an DAX-365 FO system via an app (using client id and secret id)
1) the app is registered in azure portal, the following delegates are granted: Odata.FullAccess, Connecotr.FullAccess, CustomerService.FullAccess, AX.FullAccess
2) in FO the ClientId is registered in Azure Active Directory applications. The corresponding user has an SysAdmin role and is enabled.
The call is failed with an http 403 error.
After we have tried to change in FO the user (to another one from an other registered application, we could make the call.
Both the users have identical rights in FO: SysAdmin and SysUser roles.
What else should be checked / set up for the user given on the FO form "Azure Active Directory applications" to get the call working?
Did you add your D365FO system URL in the reply URL list of the AAD application?
You mean the form "Azure Active Directory applications" in FO? Yes, we have two applications there, one of them is from us. And for the linked user the call failed. When we change the user on our registration entry to the user from another application, it works.
No, I mean the AAD application settings in Azure portal.
You must have already checked but can you confirm if the other user is enabled in F&O?
Yes, both users are enabeld in FO.
I can check the setting (I am quite sure, that it is done), but strange is the fact, that change of user in FO make the app calls fail / work. So, I guess, that there should be a parameter setting concerning users (in Azure portal).
Ok, if the same app id works when you set up a different user in D365FO AAD Applications form, then the issue is not in the AAD application. Then the issue must obviously be in the user settings in D365FO (or AAD).
Please double check that the user is enabled in AAD and D365FO.
Can you login to D365FO with this user? That's of course the first thing to try before more advanced use cases such as integrations.
What do you mean by this: "After we have tried to change in FO the user (to another one from an other registered application, we could make the call." What "other registered application"? Do you have one or many AAD app registrations?
Our user (let's call it user1), which I meant, is enabled in FO and we can log in with him.
Yes, there is another registered application, in FO it has another user (let's call it user2), which has identical security roles as user1.
After we change the mapping by our application from user1 to user2 we get the app call working.
Another detail: we can get data from data entities directly via browser logged in by user1.
Just to summarize and check that I understood the important details correctly.
You have a record in Azure Active Directory Application form in D365FO. When this record is associated to User 2, you can call OData endpoint from your external application without issues. When this record is associated to User 1, the OData call fails with http 403 error.
Both users User 1 and User 2 can login manually to the system without issues.
Is this correct?
Are both users from the same AAD tenant?
Thank's for the summarization, it is correct.
Both users are from different tenants, is that an origin?
User1 can nevetheless access odata via browser (but not via app calls).
I assume that the user who is having the issue is from a different tenant than the "native" tenant of the D365FO subscription (the one that you see in the "About" window of D365FO).
I think you need to use accounts from the D365FO "native" tenant in integrations. The user from foreign tenant can't use app registration of the "native" tenant. Instead their login is directed to their own AAD tenant.
Thank you Nikolaos!
We will then switch to an user from "native tenant".
Nevertheless, is there a possibility to set up a "cross tenant" user for api calls?
If you want to use user from another tenant, you need to set up this user account as guest in your AAD (the native AAD of D365FO). And, remove the wrong tenant name from the Provider field of that user. That way the user actually authenticates with the "native" AAD and it will work ok.
I have modified the field provider of the user1 in FO directly, beeing logged in by an other user3.
After that the api call worked, but one couldn't log in with user1 in FO any more.
Any way, we will switch to another user from the native tenant.
Thank you ver much once again for your valuable tipps!
You need to recreate the user in D365FO. The AAD user id (technical ID behind the scenes, not the account name) is different for the guest user in tenant B than the actual user in tenant A.
- If you create user by importing from your AAD, the user id is initialized from AAD
- If you create user by normal data input on Users form, the user id will be empty until the user logins for the first time.
But once that user id is initialized, you can't login with user who has same O365 account name (email@example.com) but who actually has different user id.
Business Applications communities