CRM Online Web API Error 401 : Unauthorized : Access is denied

(3) Share

Report

Posted on by Community Member

Hi All,

I have been trying to test the CRM Online Web API, to verify if it could be a good solution for my PHP public web site to input data into CRM.

The goal here is to create a new Contact in CRM whenever an (unidentified) user submits a form in the web site.

For testing purposes, I am using REST/JSON requests sent via Postman to try to achieve this.

I went through a lot of pain to register my web site in Azure AD, and to post a JSON request to login.microsoftonline.com/<my_tenant_id>/oauth2/token that would allow me to get an access token, by the "client_credentials" method.

I am finally able to get tokens that look quite good :

{
  "token_type": "Bearer",
  "expires_in": "3600",
  "expires_on": "1458152686",
  "not_before": "1458148786",
  "resource": "xxxxxx.crm4.dynamics.com/.../v8.0",
  "access_token": "iOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSIsImtpZCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSJ9.eyJhdWQiOiJodHRwczovL2tsZWVjcm0uY3JtNC5keW5hbWljcy5jb20vYXBpL2RhdGEvdjguMC8iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8zZDExOTNiNS1iMzNjLTRhOTEtY_ELUUQGw5PF8OSPsFoNh6SPUgnFoqtbHL4dCWnyuLxlbyvMWuQNWotMRJAhQGo7nRmQYSYSHX62XW76ArlqKAvhyXTlhn68ma5ZFx_ohMBGR4_W4FrgNaZC5e7OQ2QNAl8wq33vrzi7OFEjHRHPygt__VB7rCybqBbLIpFZPcZqoiy1johpAEMpgK332VLoH5jBBa5kf39TWI7Y5FlXtQ"
}

I used a token to post a sample JSON request that would create an account to https://xxxxxx.crm4.dynamics.com/api/data/v8.0/accounts but I keep getting a 401 error (Unauthorized : Access is denied").

It looks like the token is good, because if I alter it, I get another error indicating that the token is incorrect.

I have to be close to a solution here but I can't figure it out. What am I missing ?

*This post is locked for comments

All responses (30)

Answers (0)

Suggested answer

Effy 5 on at

Like (0)

Report

RE: CRM Online Web API Error 401 : Unauthorized : Access is denied

The correct way for an external application to authenticate is not with the 'password' grant_type, you need the 'client_crdentials' grant_type, and the reason you're getting the 404 Access Denied error is because Dynamic is not aware of the application.

You need to set up an "Application User" in dynamics (this does not require a password) and enter only your application/client id and set up a role for it, this will link dynamics to the application in active directory.

Here's a full walkthrough: www.wrapcode.com/server-authentication-dynamics-crm
Community Member on at

Like (0)

Report

RE: CRM Online Web API Error 401 : Unauthorized : Access is denied

Hi,

I am really new to CRM. My aim is to integrate .net application with Dynamics CRM using Web API.

I am having issues with the authentication.

Below are the steps I did.

1. In Azure Portal, From App Registrations, I created a Native App.

2. I specified the redirect url as login.microsoftonline.com/<GUID>/

Note: To get the above Guid, from Azure portal, selected "Azure Active Directory" -> "Properties" and took the value under "Directory ID"

3. Now selected "Required Permissions", added "Dynamics CRM Online" under select an API and under Delegated permissions

added "Access CRMOnline as Organisations Users" option.

Note: I can't find any items under Application Permissions. If this is needed, how can I add it?

4. Once the above is done. I used the above code. My values are,

resource = "Url of Dynamics 365"

authresource = "https://login.windows.net/<GUID>/".

Note: The Guid is the same as specified in Step-2 above.

clienid = "<GUID"

Note: To get the Guid for client id, I logged into Dynamics 365, Navigated to Settings -> Customizations. Took the ID from

Instance Reference Information section.

When i execute the line var result = httpClient.PostAsync(authResource + "oauth2/token", content);,

I get the below error,

{

"error": "invalid_grant",

"error_description": "AADSTS70002: Error validating credentials. AADSTS50126: Invalid username or password\r\n\r\nTimestamp: 2017-08-22 05:23:02Z",

"error_codes": [

70002,

50126

],

"timestamp": "2017-08-22 05:23:02Z",

"trace_id": "d9903b0f-59f2-48c3-92d6-cc97e3ea0500",

"correlation_id": "05573c1d-3a21-44af-a379-35331690935b"

}

But using the username and password, i can login to Azure portal as well as to Dynamics 365 without any issues. This user is created as a Service Account.

Can anyone please help with this issue or pls let me know if I am making any mistake in any of the above steps? like getting the Tenant Id or Client Id or anything.

Thanks in Advance

Regards,

SVP
Chris Jibb on at

Like (0)

Report

RE: CRM Online Web API Error 401 : Unauthorized : Access is denied

I had exactly the same problem as described by the OP. I am using the ADAL library with NodeJS - https://github.com/AzureAD/azure-activedirectory-library-for-nodejs and followed the samplese from Github. I had what seemed to be a correct token but when trying to use that token and request Contact details, i kept getting a 401 error.

I fixed by changing the resource from what was suggested in the samples i.e the guid of the Dynamics 365 application

var resource = '00000002-0000-0000-c000-000000000000';

to

var resource = 'https://orgname.crm4.dynamics.com';

and this seemed to do the trick. Otherwise, using the adal-node library was relatively straightforward!
Community Member on at

Like (0)

Report

RE: CRM Online Web API Error 401 : Unauthorized : Access is denied

I am also using login.windows.net . The code value is found on both *login.microsoftonline.com* as well as *login.windows.net*. It is only at the time of authorization of the credentials when you hit the URL, the redirect URL contains code in it as query string. I am using that code value for accessing token from the HTTP request.
Community Member on at

Like (0)

Report

RE: CRM Online Web API Error 401 : Unauthorized : Access is denied

What endpoint are you using to make your token requests? I'm using *login.windows.net*. Are you using *login.microsoftonline.com*? If you are then that might be the reason why you need to include the authorization `code` in your token requests.
Community Member on at

Like (0)

Report

RE: CRM Online Web API Error 401 : Unauthorized : Access is denied

Yes kenny, the app was authorized by the process but still i was not able to access token. So i used this query string values ( &client_id=YOURCLIENTID

&code=YOURCODE&redirect_uri=ms-app://s-123456789

&resource=https%3A%2F%2Fservice.contoso.com%2F

&client_secret=p@ssw0rd ) for getting the token. Now the token i got from this is valid token, and works for me.
Community Member on at

Like (0)

Report

RE: CRM Online Web API Error 401 : Unauthorized : Access is denied

You don't need to open the "ms-app link". It's just trying to open the "Home Page" you configured for your app in the Azure Active Directory registration. Try using the admin credentials in your app as you planned; it should work now that you've entered the credentials and allowed the app to login to Dynamics for the user you logged-in-as.
Community Member on at

Like (0)

Report

RE: CRM Online Web API Error 401 : Unauthorized : Access is denied

I have trying this code for a long time .I am creating windows Phone app 8.1 to login into Dynamic 365 account.. I got token successfully but that token then shows unauthorized access for getting accounts list. So i then used the grant-type:permission code as mentioned by Joao R., But it did not work. Instead i started getting a new error "Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access".

I am using admin credentials and have granted every access to the app user. And still i am getting this error. So Kenny Evitt wrote here to manually' login as the user via browser. I tried that too. I was redirected to a login page where i entered the credentials and then it asked me to open ms-app link. Here i was stuck , because i dont know where to open this ms-app link, as its NOT opening in any browser/powerapp/visualStudio,etc.. What should i do to make this work.

Thanks

Avy
Community Member on at

Like (0)

Report

RE: CRM Online Web API Error 401 : Unauthorized : Access is denied

Hi Michael,

You need to enable permissions for your application. You can do so with the URL Kenny provided, or via the Azure Portal. See the following link.

stackoverflow.com/.../the-user-or-administrator-has-not-consented-to-use-the-application-send-an-int
Community Member on at

Like (0)

Report
RE: CRM Online Web API Error 401 : Unauthorized : Access is denied

I had to 'manually' login as the user I wanted to use with my app and explicitly allow the app to connect as that user before I could connect (and receive an access token or successfully make any other web API calls). I logged-in at a URL like the following:

https://login.windows.net/my-company-tenant-id/oauth2/authorize?client_id=my-app-client-id&response_type=code&resource=https%3A//my-company.crm.dynamics.com