Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / Access MS Dynamics CRM...
Microsoft Dynamics CRM (Archived)

Access MS Dynamics CRM Web API using different Azure AD

(0) ShareShare
ReportReport
Posted on by Community Member Microsoft Employee

Hi,

I’m currently researching on how to authenticate a multi-tenant web app to use Dynamics CRM web api. I’m able to make it work if I register the web app in the same azure active directory used by dynamics CRM and then use password OAuth2 grant flow. But this is not desired approach since we don’t want customer to manually register the app in their dynamics CRM environment. I’m investigating if it’s possible to register the web app in my company's azure active directory but still allow the web app to access external customer’s Dynamics CRM web api. This way I only need to register the app once in my company's Azure AD.  For each new customer, I can somehow allow them to grant access to this app. I had done some experiment but result is not successful. I'm wondering if I can use Oauth2.0 Authorization grant flow to implement this. My idea is to provide a provision web page to customer. When a new customer land on this page, it directs the customer to the grant page which requires the customer to sign in using their CRM service account credentials. After they sign in, a authorization code is replied. Later on, the app can use this authorization code and client secret to get access token and invoke web api. Is this the right direction to go?

Thanks,

Jay

*This post is locked for comments

  • sbelzile Profile Picture
    sbelzile on at
    RE: Access MS Dynamics CRM Web API using different Azure AD

    Did you read the documentation? msdn.microsoft.com/.../mt790170.aspx an application user associated with the registered application in Dynamics 365

  • Community Member Profile Picture
    Community Member Microsoft Employee on at
    RE: Access MS Dynamics CRM Web API using different Azure AD

    No - where is this configured?

  • sbelzile Profile Picture
    sbelzile on at
    RE: Access MS Dynamics CRM Web API using different Azure AD

    @venkatran do you have an Application User in CRM?

  • Community Member Profile Picture
    Community Member Microsoft Employee on at
    RE: Access MS Dynamics CRM Web API using different Azure AD

    Any response to how to do this? I am also looking to do a similar setup. In my case, my Azure AD is <company>.onmicrosoft.com where I registered my App and the Dynamics is <company>.crm.dynamics.com and it is not working. I can get OAUTH tokens from the app that I registered, but if I use that to access the Dynamics data using api/data/, I get (401) Unauthorized error. In my App Registration, I am adding Dynamics end point as a permitted application for access.

    Thanks!

  • sbelzile Profile Picture
    sbelzile on at
    RE: Access MS Dynamics CRM Web API using different Azure AD

    > The administrator grants consent by navigating to the application using a browser. If my app is not listed in app source and doesn't have a UI at all, how does the administrator get to the consent page?

    You will have to create a page for that purpose.

    > The authorization code seems useless in application user approach.

    You are right. Once you have admin consent, you do not need to do a token request with the authorization code. In my app, I do it anyway (server-side), for security purposes. To ensure that consent was indeed really granted and that nobody has been trying to send me some bad stuff.

    > I guess in the simplest way I can just send this link to the customer and let them to click it to consent?

    Yes, would probably work.

  • Community Member Profile Picture
    Community Member Microsoft Employee on at
    RE: Access MS Dynamics CRM Web API using different Azure AD

    Thanks Sbelzile for the tip. One more question. How do you provide the admin consent page to the customer. The "Test your application using a separate Dynamics 365 tenant" section in msdn.microsoft.com/.../mt790170.aspx just says "The administrator grants consent by navigating to the application using a browser. " If my app is not listed in app source and doesn't have a UI at all, how does the administrator get to the consent page?

    I did a quick test. I just used the authorization link built when I tested the authorization code flow (the url to get the authorization code as in step 3 of my previous post). But the authorization code seems useless in application user approach. After I got back the authorization code, I simply used the client credential flow (just client id and secret) to get an access token and used this token to get the CRM data successfully.  I guess in the simplest way I can just send this link to the customer and let them to click it to consent?

  • sbelzile Profile Picture
    sbelzile on at
    RE: Access MS Dynamics CRM Web API using different Azure AD

    Don't bother with tenant IDs. Use the /common endpoint instead. It will save you from some headaches. :-)

  • Community Member Profile Picture
    Community Member Microsoft Employee on at
    RE: Access MS Dynamics CRM Web API using different Azure AD

    I got it work. I use the wrong tenant id when I request the access token. I used the tenant id of my company azure active directory. I should use the tenant id of the Crmenv azure active directory.

  • Community Member Profile Picture
    Community Member Microsoft Employee on at
    RE: Access MS Dynamics CRM Web API using different Azure AD

    Thank you sbelzile. I definitely will investigate the Application User feature further and understand what will be the biggest pain point if we choose to go this route. Meanwhile, I still try to get the authorization code flow experiment work as learning part of OAuth2.0. Can you take a look at what I am doing wrong.

    This is the step I follow so far.

    1. I have a crm environment (call it CRMEnv) which I have a global admin account. This crm environment is not linked to my company Azure AD. But it does have its own Azure AD subscription.

    2. I also have an account in my company Azure AD. I registered a web app (call it 'TestCrmApp') there. I set the redirect url as http://localhost/. Set it as Multi-tenant. Under permissions I add Dynamics CRM online permission beside the default azure active directory permission. I create a key also.

    3. I copy the following url to the browser and run it to request authorization to the CRM account:

    login.microsoftonline.com(tenant id of CRMEnv)/oauth2/authorize?client_id=(Client Id of TestCrmApp)&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%2F&response_mode=query&scope=https%3A%2F%2Fcrmenv.crm.dynamics.com%2F&state=12345

    The browser redirect me to login page and I sign in using CRMEnv user/password. After I click sign in, I got the reply like this. The browser doesn't show a dialog to ask me to accept permission grant though.

    localhost;state=12345&session_state=71e8e09e-cd3d-4480-80ce-01e9cfc73243

    Next, I use this authorization code to request an access token.

    POST login.microsoftonline.com(crmenv tenant id)/oauth2/token HTTP/1.1

    Accept: application/json

    Content-Type: application/x-www-form-urlencoded

    client_id=(TestCrmApp client id)

    &resource=https%3A%2F%2Fcrmenv.crm.dynamics.com

    &grant_type=authorization_code

    &code=authorization_code_received

    &redirect_uri=http%3A%2F%2Flocalhost%2F

    &client_secret=keycreatedinAAd

    But I got the following error.

    Unexpected response status: 400, message: {"error":"invalid_grant","error_description":"AADSTS70002: Error validating credentials. AADSTS70000: The provided access grant is invalid or malformed.\r\nTrace ID: d6ed51ae-3306-4847-836a-c3457ab20300\r\nCorrelation ID: d1554c9d-1e42-4c9f-bceb-f97e461d08ab\r\nTimestamp: 2017-06-01 21:40:18Z","error_codes":[70002,70000],"timestamp":"2017-06-01 21:40:18Z","trace_id":"d6ed51ae-3306-4847-836a-c3457ab20300","correlation_id":"d1554c9d-1e42-4c9f-bceb-f97e461d08ab"}

    What am I doing wrong? The only thing I suspected right now is that my company Azure AD is not associated with an office 365 subscription as mentioned in this post, community.dynamics.com/.../212493.

    Thanks,

    Jay

  • sbelzile Profile Picture
    sbelzile on at
    RE: Access MS Dynamics CRM Web API using different Azure AD

    The Application User feature has been added specifically for your type of use case. I would say this is the most appropriate approach.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

December Spotlight Star - Muhammad Affan

Congratulations to a top community star!

Top 10 leaders for November!

Congratulations to our November super stars!

Tips for Writing Effective Suggested Answers

Best practices for providing successful forum answers ✍️

Leaderboard

#1
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 291,269 Super User 2024 Season 2

#2
Martin Dráb Profile Picture

Martin Dráb 230,198 Most Valuable Professional

#3
nmaenpaa Profile Picture

nmaenpaa 101,156

Leaderboard

Featured topics

Product updates

Dynamics 365 release plans