Registering Microsoft Dynamics CRM Online with Azure AD for OAUTH credential based access.

(0) Share

Report

Posted on by Community Member

Hi,

I am trying to build an application that uses OAUTH to authenticate with Azure AD and have that access the Dynamics CRM. I have followed the instructions here: https://msdn.microsoft.com/en-us/library/gg327838.aspx and registered a new application in Azure AD portal using Add Applications and got a Client-ID and OAUTH login string. I then use the following code to access Dynamics CRM but that fails with the error:

AuthenticationException: {"error_description":"AADSTS90002: Tenant c935dd8d-8b2c-4f9e-9524-cec3818e46f8 not found. This may happen if there are no active subscriptions for the tenant. Check with your subscription administrator.\r\nTrace ID: b7ae4c31-d48b-4c9f-96de-8bfaa99f3d00\r\nCorrelation ID: db65810e-ea55-42e6-bc03-3ea210d02f5a\r\nTimestamp: 2017-09-07 22:35:01Z","error":"invalid_request"}

Based on other forum discussions there is some mention of registering. https://msdn.microsoft.com/en-us/library/mt622431.aspx

But it is not clear to me how this works as I do not see the options mentioned here.

How does one enable this?

The code I tried is:

public AuthenticationResult getAccessTokenFromUserCredentials(String url, String username, String password)
        throws Exception {
    AuthenticationContext context = null;
    AuthenticationResult result = null;
    ExecutorService service = null;
    try {
        service = Executors.newFixedThreadPool(1);
        context = new AuthenticationContext(AUTHORITY, false, service);
        Future<AuthenticationResult> future = context.acquireToken(url,
                CLIENT_ID,
                username,
                password, null);
        result = future.get();
    } finally {
        service.shutdown();
    }

    if (result == null) {
        throw new ServiceUnavailableException("authentication result was null");
    }
    return result;
}

*This post is locked for comments

I have the same question (0)

All responses (16)

Answers (1)

sbelzile on at

Like (0)

Report

Is `c935dd8d-8b2c-4f9e-9524-cec3818e46f8` really the ID of your tenant?

Do you use the `common` endpoint?

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Sebastien,

Yes, 'c935dd8d-8b2c-4f9e-9524-cec3818e46f8' is the Object ID of the registered app in Azure.

Registration details are:

Display Name: Sample App

Application type: Web app / API

Home Page: https://mydomain.crm.dynamics.com

Application ID: 19fce8ba-1ef7-4030-b8e3-049234fdf651

Object ID: c935dd8d-8b2c-4f9e-9524-cec3818e46f8

Thanks,

venkat

Was this reply helpful? Yes No
sbelzile on at

Like (0)

Report

From your answer I think you don't know what I was talking about.

The ID of your tenant and the Object ID of your application are 2 completely different things.

When requesting a token, you first ping the `/authorize` endpoint of Azure. There are 2 endpoints that allows you to do that:

1. login.microsoftonline.com{tenantID}/oauth2/authorize

2. login.microsoftonline.com/.../authorize

Always use the common endpoint, it is way easier since you do not have to specify/guess/figure out the tenant ID you are asking authorization to.

When you call these endpoints, you need to specify a client ID. This client ID should be the Application ID of your App.

If you wish to read more about the protocol, I recommend reading this doc: docs.microsoft.com/.../active-directory-protocols-oauth-code

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Sebastien,

Thanks for the clarification. Where do I find the ID of my tenant required in the first step above?

I also tried the common/authorize end-point, which failed with a different error message:

java.util.concurrent.ExecutionException:

com.microsoft.aad.adal4j.AuthenticationException: {"error_description":"AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'.\r\nTrace ID: f1951f4c-5d44-4a33-af59-1fc03eaf1900\r\nCorrelation ID: 1cb96850-1d1e-4d7a-b7f5-a06ad12021af\r\nTimestamp: 2017-09-08 18:53:08Z","error":"invalid_client"}

Was this reply helpful? Yes No
sbelzile on at

Like (0)

Report

> Where do I find the ID of my tenant required in the first step above?

support.office.com/.../Find-your-Office-365-tenant-ID-6891b561-a52d-4ade-9f39-b492285e2c9b => don't use that. Use the common endpoint

> I also tried the common/authorize end-point, which failed with a different error message [...] AADSTS70002

Could be a couple of things. And it depends of what you are trying to achieve. I think a google search would be more helpful than I am. Here are some help links:

- github.com/.../659

- stackoverflow.com/.../error-descriptionaadsts70002-the-request-body-must-contain-the-following-pa

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Sebastien,

Thanks for your suggestions. I made some progress by using the common end point, but I now run into:

com.microsoft.aad.adal4j.AuthenticationException: {"error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID 'c2f66457-9f64-481b-b619-c2abda7d82f7' named 'Microsoft.CRM'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 110f8c28-99cb-4f99-867b-659720d50c00\r\nCorrelation ID: f022555e-294e-40cc-b0b6-e146f8ccf6b9\r\nTimestamp: 2017-09-12 17:42:15Z","error":"invalid_grant"}

The URL end-point is: mydomain.crm.dynamics.com

Any help would be much appreciated.

Was this reply helpful? Yes No
sbelzile on at

Like (0)

Report
I think that the error is clear: you are trying to authenticate with the credentials of a user that has never granted consent to your application. You need to prompt the user for consent. The authentication flow should be:

You redirect the user on the `common/authorize` endpoint.

Once he is there, he will enter his credentials, and grant consent to your application (Azure handles this).

Then, Azure will call the `redirect_uri` specified in the request. with an authorization code.

You then ping the `/token` endpoint with that code to request a token.

You usually don't need to handle credentials.

There are other authentication scenarios (ex: you may be building a native application). I suggest you to read this article: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scenarios.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Thanks for the reply. I followed along the instructions in the following:

[View:https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scenarios#web-application-to-web-api:750:50]

I am able to login successfully using OAUTH2.0 flow and am getting an authorization code. Next step is to get an access token, and the token grant is failing. The code I get from [View:https://login.microsoft.com/common:750:50] endpoint is:

code=AQABAAIAAA....

Per the instructions below:

"5. Using the authorization code issued by Azure AD, the web application sends a request to Azure AD’s token endpoint that includes the authorization code, details about the client application (Application ID and redirect URI), and the desired resource (application ID URI for the web API)."

I then use the following HTTPS POST to get the token grant.

request.body = {

:code => code,

:grant_type => 'authorization_code',

:client_id => DYNAMICS_OAUTH_CLIENT_ID,

:client_secret => DYNAMICS_OAUTH_SECRET,

:redirect_uri => DYNAMICS_OAUTH_REDIRECT_URI,

:format => 'json'

The body is constructed correctly, and the POST goes through fine. However, the response is the error: {\\'error\\':\\'unauthorized_client\\',\\'error_description\\':\\'AADSTS70001: Application '<removed>' is not supported for this API version.\\\\r\\\\nTrace ID: b774ff53-ab4e-43fe-9175-00a57f692e00\\\\r\\\\nCorrelation ID: 7ed16db4-fa36-4b30-8f1c-08d00554d9e3\\\\r\\\\nTimestamp: 2017-09-27 18:33:39Z\\',\\'error_codes\\':[70001],\\'timestamp\\':\\'2017-09-27 18:33:39Z\\',\\'trace_id\\':\\'b774ff53-ab4e-43fe-9175-00a57f692e00\\',\\'correlation_id\\':\\'7ed16db4-fa36-4b30-8f1c-08d00554d9e3\\'}

Any thoughts on what could be wrong?

Thanks!

Was this reply helpful? Yes No
Verified answer

sbelzile on at

Like (0)

Report

In my code, I specify a `resource` parameter and headers: `Accept: application/json` and content type => `application/x-www-form-urlencoded`

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Thanks again!

I now get the following error:

{\"error\":\"invalid_request\",\"error_description\":\"AADSTS90100: The 'resource' request parameter is not supported.\\r\\nTrace ID: 94ab1ad1-36ed-4e2e-825e-546870f10500\\r\\nCorrelation ID: f2af853c-69fa-461a-90c0-8960e1ae241d\\r\\nTimestamp: 2017-09-28 16:17:54Z\",\"error_codes\":[90100],\"timestamp\":\"2017-09-28 16:17:54Z\",\"trace_id\":\"94ab1ad1-36ed-4e2e-825e-546870f10500\",\"correlation_id\":\"f2af853c-69fa-461a-90c0-8960e1ae241d\"}" @url=#<URI::HTTPS login.microsoftonline.com/.../token>

Was this reply helpful? Yes No

Community site session details

Registering Microsoft Dynamics CRM Online with Azure AD for OAUTH credential based access.

Helpful resources

Quick Links

Responsible AI policies

Neeraj Kumar – Community Spotlight

Congratulations to the November Top 10 Community Leaders!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

Featured topics

Product updates

Community site session details

Registering Microsoft Dynamics CRM Online with Azure AD for OAUTH credential based access.

Helpful resources

Quick Links

Responsible AI policies

Neeraj Kumar – Community Spotlight

Congratulations to the November Top 10 Community Leaders!

Subscribe to this forum!

Select categories

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

Featured topics

Product updates