web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Finance | Project Operations, Human Resources, ... / Unable to authenticate...
Finance | Project Operations, Human Resources, ...
Answered

Unable to authenticate user for access to AAD function app from inside D365

(0) ShareShare
ReportReport
Posted on by Dutta 25

Hello everyone

I have a one box environment trying out the following scenario.

I am creating an extension on Dynamics 365 F&O, whereby I need to get data from an external AAD authenticated azure function app. I am looking for instructions to call this function app from X++ code by passing an access token that grants access to this function app.

The function app reads and reacts to the Office 365 user principal in this way,

pastedimage1607083603781v3.png

So if I am logged in as abc@someuser.com in D365, I want the function app to be invoked in a way such that the userEmail variable above reads the same user email as the one logged in as D365.

Naturally the function app has been configured to have App Service Authentication enabled using a custom Azure AD app that has the following permissions,

pastedimage1607083621134v4.png

My own attempt to generate an access token results in an empty string. I am employing the following X++ code (inspired from BusinessDocumentApiAuthController class).

    private str generateAccessToken()
    {
        IOAuthHelper oAuthHelper = OAuthHelperFactory::GetOAuthHelper();
        str resourceId = this.getResourceId();
        Sid currentUserSID = this.getCurrentUserSID();
        this.createDefaultConfiguration();
        str accessToken = oAuthHelper.RetrieveAccessToken(currentUserSID, resourceId);

        if (accessToken == "" && Global::hasGUI())
        {

            str linkFormat = "login.windows.net/%1/oauth2/authorize?redirect_uri=%2&response_type=code&client_id=%3&resource=%4&state=%4";
            str link = strFmt("https://" + linkFormat, this.getTenantId(), this.getRedirectURL(), this.getAXClientId(), this.getResourceId());
            this.promptUserToClickLink(link);
            accessToken = oAuthHelper.RetrieveAccessToken(currentUserSID, resourceId);
        }

        return accessToken;
    }

    private void createDefaultConfiguration()
    {
        config = new OAuthConfiguration();
        config.IsFirstPartyApp = false;
        //config.AppKey = not set as I would expect user to authenticate using their credential
        config.ClientId = this.getAXClientId();
        config.ResourceId = this.getResourceId();
        config.TenantId = this.getTenantId();

        IOAuthHelper oAuthHelper = OAuthHelperFactory::GetOAuthHelper();
        boolean result = oAuthHelper.UpdateConfiguration(config);
    }

    private str getTenantId()
    {
        return '74c2b7d7-ce0c-4486-ba63-1d3535ac4153';
    }

    private str getResourceId()
    {
        return System.Web.HttpUtility::UrlEncode('fictitiousFunctionApp.azurewebsites.net');
    }

    public str getAXClientId()
    {
        IApplicationEnvironment environment = EnvironmentFactory::GetApplicationEnvironment();
        IAzureActiveDirectoryConfig aadConfig = environment.Aad;
        str realm = aadConfig.Realm;

        if (strStartsWith(realm, "spn:"))
        {
            realm = subStr(realm, 5, strLen(realm) - 4);
        }
        
        return realm;
    }

    public str getRedirectURL()
    {
        IApplicationEnvironment environment = EnvironmentFactory::GetApplicationEnvironment();
        IInfrastructureConfig infrastructureConfig = environment.Infrastructure;

        return System.Web.HttpUtility::UrlEncode(strFmt('%1/oauth', infrastructureConfig.HostUrl.TrimEnd('/')));
    }

 

When I click the link that opens in a new window, I get this error in my URL,

The client has requested access to a resource which is not listed in the requested permissions in the client’s application registration.

I have the same question (0)
  • André Arnaud de Calavon Profile Picture
    André Arnaud de Cal... 301,075 Super User 2025 Season 2 on at

    Hi Dutta,

    Is this external Azure app listed in your own Azure Active Directory?

  • Dutta Profile Picture
    Dutta 25 on at

    Thanks, yes it is listed in my own active directory.

  • Verified answer
    Dutta Profile Picture
    Dutta 25 on at

    I realized that I was missing the redirect url set to my D365 F&O instance on the app registration blade as that was the caller "app" of the function app API. Once I added that up, I got this to work.

    pastedimage1607336247300v1.png

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Finance | Project Operations, Human Resources, AX, GP, SL

#1
Martin Dráb Profile Picture

Martin Dráb 503 Most Valuable Professional

#2
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 434 Super User 2025 Season 2

#3
BillurSamdancioglu Profile Picture

BillurSamdancioglu 278 Most Valuable Professional

Last 30 days Overall leaderboard

Featured topics

End-of-life Announcement for Microsoft Dynamics GP

Product updates

Dynamics 365 release plans