Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / MS Dynamics CRM Web AP...
Microsoft Dynamics CRM (Archived)

MS Dynamics CRM Web API using Azure AD Multi-tenant App

(0) ShareShare
ReportReport
Posted on by Community Member

Hi,

I'm trying to integrate our web app (collect form data and push data to customers CRM's -- like Salesforce, Eloqua, Pardot, etc.) with MS Dynanmics. Calls from our servers are simple HTTP requests from PHP using curl. I'm understand the OAuth process and have successfully used it on many previous integrations with other CRMs. Just to be clear, our web site/web app is NOT hosted with MS -- it's externally hosted.

However, I've hit a wall in just trying to get an access_token and then use that token to make requests to MS Dynamics. Here are the steps that i've currently taken to get to this point:

  • Signed up for a trial MS Dynamics account - this is a test account to attempt to read and write data (specifically Contact and Leads). Lets call this 'CustomerCRM'
  • Signed up for a separate Azure account - this is the location of the Active Directory where i registered an App (lets call it 'DataCapture'). Set it as type 'Web app / API' , set the redirect and homepage urls, set it at Multi-tenant. And under permissions i checked all of them listed. When this goes live i will pair it down to exactly what i need (once i figure out what that is) but for now i check all since it should allow me to test pushing data to the CRM. I also setup a 'Key' under the API Access area -- i read somewhere that this is what is used as the client_secret used during the access_token request process (IS THIS CORRECT?!?).
  • Using a simple GET request via a browser, i make a call to request authorization of the App by the CRM account:

     
    login.microsoftonline.com/.../authorize
client_id='xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx'
&response_type='code'
&redirect_uri='www.ourdomain.com/dynamics_cb' 
&response_mode='query' 
&state='SOME_UNIQUE_UID'

    Where client_id is the APP_ID found in the DataCapture Azure account under the created app. This presents a login form for 'DataCapture' asking for a user/pass. When i enter that info for an administrator from the 'CustomerCRM' account , i get redireded to the redirect_uri with a response parameter named 'code'. YEAH!

    However, what is weird is that if i try and add a 'resource' parameter to the above call like:

    &resource='customercrm.crm.dynamics.com'

    which i figured i should do , i get the following error after attempting the login with the same admin user:

    error: invalid_resource
    error_description: AADSTS50001: The application named customercrm.crm.dynamics.com was not found in the tenant named CustomerCRM.crm.dynamics.com. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.


    This seems very strange since the app is part of DataCapture -- not CustomerCRM ?!?

     

  •  OK, assuming the above GET call with the returned 'code' is actaully good, we'll send the code to get an access_token:
POST /common/oauth2/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
grant_type=authorization_code
client_id=xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
code=AQABAAAAAADRNYRQ3dhRSrm-4K-ad....
redirect_uri=www.ourdomain.com/dynamics_cb
resource=customercrm.crm.dynamics.com
client_secret=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Unfortunately i get the following response:

[error] => unauthorized_client
[error_description] => AADSTS65005: The client application has requested access to resource 'customercrm.crm.dynamics.com'. This request has failed because the client has not specified this resource in its requiredResourceAccess list.
[error_codes] => Array
(
[0] => 65005
)


Am i missing something somewhere in the CustomerCRM admin user settings? When i login to the Dynamics CRM and view the apps that user has, it shows the 'DataCapture' app and lists out all the permissions that were authorized when i authenticated the user.

Anyone have any ideas on what i might have messes up? Do i need to setup my app in the Azure account differenly? Is it ok to use the Default Directly in the Azure Active Directory setup?

Any insight would be greatly appreciated!

-Michael

*This post is locked for comments

  • Suggested answer
    Dmitry Kozlov Profile Picture
    Dmitry Kozlov 5 on at
    RE: MS Dynamics CRM Web API using Azure AD Multi-tenant App

    If somebody is still looking for code samples demonstrating authentication via Azure AD app, check out this repository.

    It uses MSAL.NET (Azure AD v2.0), Azure AD app with delegated permissions to Dynamics CRM.

    Here is the Azure function that obtains security token on behalf of a user and saves it into the cache.

    Then, the token is used for retrieving data from Dynamics CRM.

    The approach is suitable for multi-tenant Azure AD apps as well and does not require registering Application User in Dynamics CRM. Find the complete installation guide here.

  • Community Member Profile Picture
    Community Member on at
    RE: MS Dynamics CRM Web API using Azure AD Multi-tenant App

    Thanks.
    Just for the history. Another way how to do this is to use discovery service. This solution work fine for me.

  • Community Member Profile Picture
    Community Member on at
    RE: MS Dynamics CRM Web API using Azure AD Multi-tenant App

    Hi xose,

    I had to ask the user for this information prior to starting the OAuth process.  So i have a field where i ask for this information and store the resource (example.crm.dynamics.com) so that i can use it when asking for a new access_token.  I just make it part of the workflow for our integration with MS Dynamics ask the user for the resource of their Dynamics account and then move on to the authorization steps.  

  • Community Member Profile Picture
    Community Member on at
    RE: MS Dynamics CRM Web API using Azure AD Multi-tenant App

    Hi,

    Could you explain, please, how to be with the 'resource' param on getting OAuth access_token using a code?

    On my understanding when I have code on my server side I don't know anything about customer tenant or valid crm.dynamics uri.

  • Community Member Profile Picture
    Community Member on at
    RE: MS Dynamics CRM Web API using Azure AD Multi-tenant App

    While requesting for token via /token API, can we use "https://graph.windows.net" resource. And use the token received in response to access dynamics online REST API?

  • Community Member Profile Picture
    Community Member on at
    RE: MS Dynamics CRM Web API using Azure AD Multi-tenant App

    Oh I forgot, if you have an office 365 trial you can not access the AD behind unless you pay, but one can do something else as I did.

    Create an azure trial and link the Azure AD with the Office 365 AD.

    That way you will be able to administrate the office 365 AD and his apps without paying.

    I am capable to import external apps as well, but not external users.

  • Community Member Profile Picture
    Community Member on at
    RE: MS Dynamics CRM Web API using Azure AD Multi-tenant App

    Hello Michael,

    What you did at end is not the situation that you described in your 1st post, sadly that is not what I needed, as I described I have 2 or more AD because we will do Saas, working only with one is not that hard, one is inside the same AD context and can grant easy permissions. One could to look for some examples over the internet or the SDK of azure and understand the concepts and all part the integrate the system. (That takes like a week and experimentation)

    The answer coming from Colin Vermander is the right one, I followed his idea and it works, but not as I wish since one loses the native credentials of the logged in user. The point is to use the identity of the logged in user in CRM and not someone else, impersonation is possible although.

    I had another idea to make this possible, I am about to program this soon.

    In azure terms, one can only get a connection token for CRM with an access token generated in the same AD.

    (or username/password with code)

    If you have a website and know from which company the user comes, one could redirect them to the login portal of their AD and when they login, the call is redirected back to you and so one gets the access token from their AD, with this you can generate the CRM token and other tokens you need.

    The positive is that you call CRM as the logged in user.

  • Community Member Profile Picture
    Community Member on at
    RE: MS Dynamics CRM Web API using Azure AD Multi-tenant App

    Hi Geogiam,

    Read my initial post on how i got everything setup.  Everything i listed is what i did EXCEPT for the second step (Signed up for a separate Azure account).  The Azure account where you register the App needs to be a paid Office365 account.  You can't just use a stand alone Azure account.  

    Using the setup as i outlined i was able to use the access_token to make request.

    Also, i guess one other thing i was doing wrong was forgetting to add 'https://' to the value for the 'resource' parameter when requesting the access_token.

    Hope that helps... i understand how frustrated you might be -- i spent WAY too much time trying to get it all figured out.  

    -Michael

  • Community Member Profile Picture
    Community Member on at
    RE: MS Dynamics CRM Web API using Azure AD Multi-tenant App

    Hello Michael and Colin,

    I am trying to create an enviroment like Michael initially suggested, where users havr their own AD with office and CRM and we provide Saas, they come to us, login with their credentials and our app access their CRM.

    I have not been able to do it.

    The external users logs in with me, my app is registered in their AD but without Crm access.

    I am sure Colin answer will work, but I don't want to tell my consuming companies to install software and complex configuration to connect with me.

    There should be another way, maybe exchanging a user?

    George Baxter

  • Community Member Profile Picture
    Community Member on at
    RE: MS Dynamics CRM Web API using Azure AD Multi-tenant App

    Fyi,

    If i wasn't clear in the previous post -- the CRM Dynamics account that authorizes access to the App is completely separate and not tied at all to the Office365 account where the App registration is completed.   The App is able to access ANY MS Dynamics Account (tenant) as long as the the Dynamics user authorizes the App.

    Just wanted to make sure i was clear on explaining the accounts here...

    -Michael

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Daivat Vartak – Community Spotlight

We are honored to recognize Daivat Vartak as our March 2025 Community…

Announcing Our 2025 Season 1 Super Users!

A new season of Super Users has arrived, and we are so grateful for the daily…

Kudos to the February Top 10 Community Stars!

Thanks for all your good work in the Community!

Leaderboard

#1
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 292,516 Super User 2025 Season 1

#2
Martin Dráb Profile Picture

Martin Dráb 231,432 Most Valuable Professional

#3
nmaenpaa Profile Picture

nmaenpaa 101,156

Leaderboard

Featured topics

Product updates

Dynamics 365 release plans