Access MS Dynamics CRM Web API using different Azure AD

(0) Share

Report

Posted on by Community Member

Hi,

I’m currently researching on how to authenticate a multi-tenant web app to use Dynamics CRM web api. I’m able to make it work if I register the web app in the same azure active directory used by dynamics CRM and then use password OAuth2 grant flow. But this is not desired approach since we don’t want customer to manually register the app in their dynamics CRM environment. I’m investigating if it’s possible to register the web app in my company's azure active directory but still allow the web app to access external customer’s Dynamics CRM web api. This way I only need to register the app once in my company's Azure AD. For each new customer, I can somehow allow them to grant access to this app. I had done some experiment but result is not successful. I'm wondering if I can use Oauth2.0 Authorization grant flow to implement this. My idea is to provide a provision web page to customer. When a new customer land on this page, it directs the customer to the grant page which requires the customer to sign in using their CRM service account credentials. After they sign in, a authorization code is replied. Later on, the app can use this authorization code and client secret to get access token and invoke web api. Is this the right direction to go?

Thanks,

Jay

*This post is locked for comments

I have the same question (0)

All responses (13)

Answers (0)

sbelzile on at

Like (1)

Report

Yes, this is the usual way to proceed. I implemented it recently. The documentation about this can be found on this site.

With CRM, there are 2 kinds of OAuth authentication flows that you can use.

If you develop a multi-tenant web app, then prompting the user for authorization is the way to go.

If you require more flexibility for apps like a monitoring system, you can still prompt a CRM admin user to grant admin consent to your application, and then rely on the Application User functionality.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Hi sbelzile,

Thanks for the quick response. My web app won't be able to prompt the user for authorization since it will a batch task app that will be spin up and down once every month. So the request for authorization will be a one time thing at the provision time. Will the authorization code replied by the authorization grant flow work forever and no expiration like the access token? Based on this use case, which approach (authorization grant flow vs application user) do you recommend as the most appropriate approach?

Thanks,

Jay

Was this reply helpful? Yes No
sbelzile on at

Like (1)

Report

I am not what you could call an OAuth expert, but with the App I have been developing (a search provider, we have to monitor the CRM for changes), I went for the Application User.

There are upsides and downsides to this method :

Pros:

- One time authorization

- No need to deal with a refresh token

- You can specify the exact privileges that you require.

Cons:

- Your client has to configure the Application User. (I will be looking to automate this on my side, I don't know if this is possible)

- Security: you need to make sure that your clients cannot modify the CRM URL as they wish, since this information is used as a key to request a token.

If you decide to go for the Authorization Grant flow:

- you will have to deal with the refresh token

- you will have the same privileges as the user that grants consent (? to confirm)

- I think there are limits to the number of time that you can refresh a token. I think there are settings to remove these limits as well. (? to confirm)

Was this reply helpful? Yes No
sbelzile on at

Like (1)

Report

The Application User feature has been added specifically for your type of use case. I would say this is the most appropriate approach.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Thank you sbelzile. I definitely will investigate the Application User feature further and understand what will be the biggest pain point if we choose to go this route. Meanwhile, I still try to get the authorization code flow experiment work as learning part of OAuth2.0. Can you take a look at what I am doing wrong.

This is the step I follow so far.

1. I have a crm environment (call it CRMEnv) which I have a global admin account. This crm environment is not linked to my company Azure AD. But it does have its own Azure AD subscription.

2. I also have an account in my company Azure AD. I registered a web app (call it 'TestCrmApp') there. I set the redirect url as http://localhost/. Set it as Multi-tenant. Under permissions I add Dynamics CRM online permission beside the default azure active directory permission. I create a key also.

3. I copy the following url to the browser and run it to request authorization to the CRM account:

login.microsoftonline.com(tenant id of CRMEnv)/oauth2/authorize?client_id=(Client Id of TestCrmApp)&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%2F&response_mode=query&scope=https%3A%2F%2Fcrmenv.crm.dynamics.com%2F&state=12345

The browser redirect me to login page and I sign in using CRMEnv user/password. After I click sign in, I got the reply like this. The browser doesn't show a dialog to ask me to accept permission grant though.

localhost;state=12345&session_state=71e8e09e-cd3d-4480-80ce-01e9cfc73243

Next, I use this authorization code to request an access token.

POST login.microsoftonline.com(crmenv tenant id)/oauth2/token HTTP/1.1

Accept: application/json

Content-Type: application/x-www-form-urlencoded

client_id=(TestCrmApp client id)

&resource=https%3A%2F%2Fcrmenv.crm.dynamics.com

&grant_type=authorization_code

&code=authorization_code_received

&redirect_uri=http%3A%2F%2Flocalhost%2F

&client_secret=keycreatedinAAd

But I got the following error.

Unexpected response status: 400, message: {"error":"invalid_grant","error_description":"AADSTS70002: Error validating credentials. AADSTS70000: The provided access grant is invalid or malformed.\r\nTrace ID: d6ed51ae-3306-4847-836a-c3457ab20300\r\nCorrelation ID: d1554c9d-1e42-4c9f-bceb-f97e461d08ab\r\nTimestamp: 2017-06-01 21:40:18Z","error_codes":[70002,70000],"timestamp":"2017-06-01 21:40:18Z","trace_id":"d6ed51ae-3306-4847-836a-c3457ab20300","correlation_id":"d1554c9d-1e42-4c9f-bceb-f97e461d08ab"}

What am I doing wrong? The only thing I suspected right now is that my company Azure AD is not associated with an office 365 subscription as mentioned in this post, community.dynamics.com/.../212493.

Thanks,

Jay

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

I got it work. I use the wrong tenant id when I request the access token. I used the tenant id of my company azure active directory. I should use the tenant id of the Crmenv azure active directory.

Was this reply helpful? Yes No
sbelzile on at

Like (0)

Report

Don't bother with tenant IDs. Use the /common endpoint instead. It will save you from some headaches. :-)

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Thanks Sbelzile for the tip. One more question. How do you provide the admin consent page to the customer. The "Test your application using a separate Dynamics 365 tenant" section in msdn.microsoft.com/.../mt790170.aspx just says "The administrator grants consent by navigating to the application using a browser. " If my app is not listed in app source and doesn't have a UI at all, how does the administrator get to the consent page?

I did a quick test. I just used the authorization link built when I tested the authorization code flow (the url to get the authorization code as in step 3 of my previous post). But the authorization code seems useless in application user approach. After I got back the authorization code, I simply used the client credential flow (just client id and secret) to get an access token and used this token to get the CRM data successfully. I guess in the simplest way I can just send this link to the customer and let them to click it to consent?

Was this reply helpful? Yes No
sbelzile on at

Like (0)

Report

> The administrator grants consent by navigating to the application using a browser. If my app is not listed in app source and doesn't have a UI at all, how does the administrator get to the consent page?

You will have to create a page for that purpose.

> The authorization code seems useless in application user approach.

You are right. Once you have admin consent, you do not need to do a token request with the authorization code. In my app, I do it anyway (server-side), for security purposes. To ensure that consent was indeed really granted and that nobody has been trying to send me some bad stuff.

> I guess in the simplest way I can just send this link to the customer and let them to click it to consent?

Yes, would probably work.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Any response to how to do this? I am also looking to do a similar setup. In my case, my Azure AD is <company>.onmicrosoft.com where I registered my App and the Dynamics is <company>.crm.dynamics.com and it is not working. I can get OAUTH tokens from the app that I registered, but if I use that to access the Dynamics data using api/data/, I get (401) Unauthorized error. In my App Registration, I am adding Dynamics end point as a permitted application for access.

Thanks!

Was this reply helpful? Yes No

Community site session details

Access MS Dynamics CRM Web API using different Azure AD

Helpful resources

Quick Links

Responsible AI policies

Neeraj Kumar – Community Spotlight

Congratulations to the November Top 10 Community Leaders!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

Featured topics

Product updates

Community site session details

Access MS Dynamics CRM Web API using different Azure AD

Helpful resources

Quick Links

Responsible AI policies

Neeraj Kumar – Community Spotlight

Congratulations to the November Top 10 Community Leaders!

Subscribe to this forum!

Select categories

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

Featured topics

Product updates