App Registrations: AADSTS65005

(0) Share

Report

Posted on by Community Member

Background:

We have created a SaaS web application build with NodeJS on Heroku platform. Using Salesforce and Hubspot API's any users of those CRMs can OAuth into our application and our app can pull certain data from them on their behalf. We have gotten a request to integrate our solution with Microsoft Dynamics 365 CRM (we setup a trial version so we could test making REST API calls) ... however I am not at that point since we are currently at the problem described below ...

Research:

I have attempted to search Slack and found the following article with suggestions, but still ran into the same symptom described below. (stackoverflow.com/.../can-users-from-an-unmanaged-azure-ad-directory-sign-into-an-azure-ad-multi-tena)

Symptom:

I am attempting to follow the GitHub sample:

github.com/.../website-sample.js

I've registered my application under Azure Active Directory as a Web App / API with the Required Permissions set to Dynamics CRM Online. I have created my secret key and have filled in the various parameters in the sample above, however when I run my NodeJS application I am presented with the following error:

Request Id: 6ccd83dd-4864-4384-a69d-c2be05701600
Correlation Id: a31d119b-ddc0-459e-979d-ed2b28b56118
Timestamp: 2018-08-03T19:50:40Z
Message: AADSTS65005: Using application '<Tenent>' is currently not supported for your organization <Tenent>.com because it is in an unmanaged state. An administrator needs to claim ownership of the company by DNS validation of sell-on.com before the application Sell-On can be provisioned.

Questions

First question is given the background described above ... am I on the right path to allow any users of different Microsoft Dynamic CRM's to OAuth and grant us access to pull data on their behalf?

If I am on the right path then my questions are:

Even though I created our Azure Portal account, I am listed with a User Type of Member ... shouldn't I be an Admin?
How do I become an Admin so that I can claim ownership.
Based on the error above is this just the tip of the iceberg of issues I am bound to face or is it to hard to tell?

Thank you for taking the time to read this and I hope to get some helpful feedback.

*This post is locked for comments

I have the same question (0)

All responses (5)

Answers (0)

Suggested answer

jlattimer 24,562 on at

Like (0)

Report

Here's a good walk-through on getting set up: https://www.powerobjects.com/2018/05/18/authentication-dynamics-365-using-azure-apps/

Besides registering the application in AAD you'll create an Application User in CRM. The one thing it leaves off at the end is after creating the Application User, you will need to assign it a security role, one with permissions to match the incoming requests.

Token request

POST: https://login.microsoftonline.com/<YourTenantId>/oauth2/token

Body:

resource: https://<YourOrg>.crm.dynamics.com

client_id: application id from application registration

client_secret: secret/key from application registration

grant_type: client_credentials

Once you have the token, you can make requests to CRM's Web API endpoint

Example:

GET: https://<YourOrg>.crm.dynamics.com/api/data/v8.2/WhoAmI()

Headers:

odata-maxversion: 4.0

odata-version: 4.0

accept: application/json

content-type: application/json; charset=utf-8

authorization: Bearer <Token>

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report
Thank you for the reply Jason and I have to say, "Hello fellow Wisconsinite".

I followed the suggestions in the walk-through link and I feel like I have everything setup properly, but I am still getting the same error:

access_denied AADSTS65005: Using application '<MyOrg>' is currently not supported for your organization sell-on.com because it is in an unmanaged state. An administrator needs to claim ownership of the company by DNS validation of sell-on.com before the application <MyOrg> can be provisioned. Trace ID: 256ab3a7-7081-4c6e-99f5-da8b42571700 Correlation ID: 32932f99-0a37-4d24-96b1-59e91a059a40 Timestamp: 2018-08-16 16:23:03Z

In your example you are getting an Access Token, but I am following the Authorization Code Grant Flow. I have setup a Git Repo (node-crm-client) to show my current code. My .env file is setup with the following structure:

DYNAMICS_CLIENT_ID=<Azure Application ID> DYNAMICS_CLIENT_SECRET=<Azure Secret Key> DYNAMICS_AUTH_HOST=https://login.microsoftonline.com DYNAMICS_AUTH_TENANT=<Azure Endpoint Tenant Value> DYNAMICS_AUTH_TOKENPATH=/oauth2/token DYNAMICS_AUTH_AUTHORIZEPATH=/oauth2/authorize DYNAMICS_AUTH_RESOURCE=https://<MyOrg>.crm.dynamics.com DYNAMICS_AUTH_REDIRECTURI=http://localhost:3000/auth/callback

Was this reply helpful? Yes No
jlattimer 24,562 on at

Like (0)

Report

Did you replace the values in the placeholders <> with their actual values?

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Yep, I didn't want to expose those values on a public forum so that is why I replaced them with the placeholders <>.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Morning Jason,

Wanted to check in to see if you were able to take a peek at my Git Repo logic?

Was this reply helpful? Yes No

Community site session details

App Registrations: AADSTS65005

Helpful resources

Quick Links

Responsible AI policies

Neeraj Kumar – Community Spotlight

Congratulations to the November Top 10 Community Leaders!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

Featured topics

Product updates

Community site session details

App Registrations: AADSTS65005

Helpful resources

Quick Links

Responsible AI policies

Neeraj Kumar – Community Spotlight

Congratulations to the November Top 10 Community Leaders!

Subscribe to this forum!

Select categories

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

Featured topics

Product updates