web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / MS Dynamics CRM Web AP...
Microsoft Dynamics CRM (Archived)

MS Dynamics CRM Web API using Azure AD Multi-tenant App

(0) ShareShare
ReportReport
Posted on by Community Member

Hi,

I'm trying to integrate our web app (collect form data and push data to customers CRM's -- like Salesforce, Eloqua, Pardot, etc.) with MS Dynanmics. Calls from our servers are simple HTTP requests from PHP using curl. I'm understand the OAuth process and have successfully used it on many previous integrations with other CRMs. Just to be clear, our web site/web app is NOT hosted with MS -- it's externally hosted.

However, I've hit a wall in just trying to get an access_token and then use that token to make requests to MS Dynamics. Here are the steps that i've currently taken to get to this point:

  • Signed up for a trial MS Dynamics account - this is a test account to attempt to read and write data (specifically Contact and Leads). Lets call this 'CustomerCRM'
  • Signed up for a separate Azure account - this is the location of the Active Directory where i registered an App (lets call it 'DataCapture'). Set it as type 'Web app / API' , set the redirect and homepage urls, set it at Multi-tenant. And under permissions i checked all of them listed. When this goes live i will pair it down to exactly what i need (once i figure out what that is) but for now i check all since it should allow me to test pushing data to the CRM. I also setup a 'Key' under the API Access area -- i read somewhere that this is what is used as the client_secret used during the access_token request process (IS THIS CORRECT?!?).
  • Using a simple GET request via a browser, i make a call to request authorization of the App by the CRM account:

     
    login.microsoftonline.com/.../authorize
client_id='xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx'
&response_type='code'
&redirect_uri='www.ourdomain.com/dynamics_cb' 
&response_mode='query' 
&state='SOME_UNIQUE_UID'

    Where client_id is the APP_ID found in the DataCapture Azure account under the created app. This presents a login form for 'DataCapture' asking for a user/pass. When i enter that info for an administrator from the 'CustomerCRM' account , i get redireded to the redirect_uri with a response parameter named 'code'. YEAH!

    However, what is weird is that if i try and add a 'resource' parameter to the above call like:

    &resource='customercrm.crm.dynamics.com'

    which i figured i should do , i get the following error after attempting the login with the same admin user:

    error: invalid_resource
    error_description: AADSTS50001: The application named customercrm.crm.dynamics.com was not found in the tenant named CustomerCRM.crm.dynamics.com. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.


    This seems very strange since the app is part of DataCapture -- not CustomerCRM ?!?

     

  •  OK, assuming the above GET call with the returned 'code' is actaully good, we'll send the code to get an access_token:
POST /common/oauth2/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
grant_type=authorization_code
client_id=xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
code=AQABAAAAAADRNYRQ3dhRSrm-4K-ad....
redirect_uri=www.ourdomain.com/dynamics_cb
resource=customercrm.crm.dynamics.com
client_secret=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Unfortunately i get the following response:

[error] => unauthorized_client
[error_description] => AADSTS65005: The client application has requested access to resource 'customercrm.crm.dynamics.com'. This request has failed because the client has not specified this resource in its requiredResourceAccess list.
[error_codes] => Array
(
[0] => 65005
)


Am i missing something somewhere in the CustomerCRM admin user settings? When i login to the Dynamics CRM and view the apps that user has, it shows the 'DataCapture' app and lists out all the permissions that were authorized when i authenticated the user.

Anyone have any ideas on what i might have messes up? Do i need to setup my app in the Azure account differenly? Is it ok to use the Default Directly in the Azure Active Directory setup?

Any insight would be greatly appreciated!

-Michael

*This post is locked for comments

I have the same question (0)
  • Suggested answer
    razdynamics Profile Picture
    razdynamics 17,308 User Group Leader on at

    Hi Michael,  was your AzureAD synced to the CRM user a global admin user for Office 365 account?

  • Suggested answer
    Colin V Profile Picture
    Colin V on at

    Hi Michael, a couple of things...you need to be in the same tenant for both CRM and Azure AD.  It sounds like you created another tenant with your Azure subscription.  

    You also need to use the native app and client ID/secret is not supported for CRM currently, you must include login creds.  You do still need the clientID from the native app.

    Unfortunately you will also be blocked from trying this with the trial account as Microsoft doesn't allow access to a CRM's Azure AD in a trial.

    If you didn't have a trial you would login to portal.office.com with your same account for CRM, likely username@tenantname.onmicrosoft.com, go to Admin, on the left side click Admin Centers and select Azure AD.  With a trial account you will get the you must be a paid account message, if it was a full account you would then be in the classic azure portal and manage the Azure AD from there to add you native app, get your clientID, give delegate permission to the CRM Online Application for that native app. 

    Then you would be able to request a token for the CRM resource using your native app clientid with your username@tenantname.onmicrosoft.com with password for the login creds, and grant_type=password.  See the following stackoverflow post of a REST example call to get a ADAL token - stackoverflow.com/.../node-js-https-post-with-body-attributes-how

    You should still be able to test out getting a token with Azure AD in your current subscription just not to a resource you have no access to.

    Once you have your bearer token then you just include it with each request to the web api.

  • Community Member Profile Picture
    Community Member on at

    @Raz,

    Not sure what you mean by synced to the CRM?  The AzureAD that i have the app setup in is separate from the Dynamics/365 account.

    If you mean the user from the Dynamics account i tried to authenticate -- yes that user has global admin permissions.

    -Michael

  • Community Member Profile Picture
    Community Member on at

    @Colin,

    Thank you for reply!   Please bear with me and my questions because i am not at all familiar with this MS universe and how all the different accounts and services are allowed to play with one another :-)

    So what your saying is that i cannot use a stand alone Azure AD and setup a Web App/API application (Multi-tenant) that can then be used to authenticate users from external MS Dynamics accounts?   I'm required to have an Office 365/MS Dynamics (online or on-premises?), and create an  Web App/API application (Multi-tenant) in the Azure AD associated with that account?  I guess i don't see why having an Office365/MS Dynamics account would make a difference when trying to get authorization from other users on completely separate accounts/installations....

    You also need to use the native app and client ID/secret is not supported for CRM currently, you must include login creds.  You do still need the clientID from the native app

    Your saying that i shouldn't create the Azure AD app as a Web App/API type -- i need to create it as a Native type?  From my research yesterday of my problem i did find someone else that had issues connecting and they used the user/pass combo and they said it worked.  I also tried it but it didn't work for me -- but my app is setup as a Web App/API type.  

    Unfortunately you will also be blocked from trying this with the trial account as Microsoft doesn't allow access to a CRM's Azure AD in a trial.

    I can see why they might do this - but i still don't see why i can't have a separate Azure AD account that is used as the source of my app.

     

    I'm going to try and create a native app in my separate Azure AD account and test connecting to the my test Dynamics account -- i mean i can currently authorize the DataCapture app on the users in the Dynamics account (it shows all the permissions that the app requires).  I would think if it wasn't allowed at all it wouldn't even allow the authorization of the app in the first place but maybe that's a bug...

     

    -Michael

  • Suggested answer
    Colin V Profile Picture
    Colin V on at

    Hi Micheal,

    I think you might be expecting that the application multi-tenant switch in an Azure AD app allows you to access other tenants applications like CRM. The problem is that CRM does not allow you to configure applications that it grants access to, it requires a user account for access. The stand-alone Azure AD you have has no access to the other tenants Azure ADs or their CRMs, you are using a client id and request a resource (CRM) that client id has no rights on. You do not need your own Azure AD for what you want to accomplish, you just need to get the access token for each CRM you want to access. To do so you need your clients (tenants) to create an application in their Azure AD that grants access to their CRM. Some background that might help...

    Dynamics CRM Online uses an Azure AD for its authentication, both the CRM and the Azure AD are all in a tenant like contoso.onmicrosoft.com.

    When you create an application in an Azure AD you assign it permissions to other applications, Dynamics CRM being one of those but what may not be obvious is that it is the Dynamics CRM instances in the same tenant as the Azure AD. Not all CRM Online instances. So when you have your own Azure AD app the permissions you assign it are only within your tenant.

    You can still have your application (and it could reside anywhere, your own Azure subcription or elsewhere externally) that works with multiple tenants/CRMs but for each of your tenants/CRMs you will have to have them do the following:

    1. Create a native application in their Azure AD (the same AAD that the CRM uses)
    2. Assign it permission to CRM with delegated right "Access CRM Online as organization users"
    3. Provide you with the client id, their tenant id, as well a service account with a username and password.

    The client id identifies you as a certain application that has delegated rights to CRM, the credentials are the authentication/authorization to the directory (Azure AD) and identifies you in CRM for authorization of your roles.

    As someone from your application wants to access or push data to 1 CRM or another you will then before any requests to the CRM API have to request a token for that CRM's Azure AD. I have taken a snapshot of a Postman example below. Once you have the bearer token you just include it in CRM Web API requests. The Azure AD app is only for getting the token and refreshing it. You do not include the client id in CRM requests.

    snip_5F00_20160924205412.png

    snip_5F00_20160924205412.png

    You could use web/api app in the Azure AD if you wanted they give you the same result of getting the token but require you to include everything in the Postman request above plus client_secret.

    If CRM supported client id/secret without the need for an user account then this would have been easier and you wouldn't need a CRM license for a service account.

  • Community Member Profile Picture
    Community Member on at

    Thanks for your reply Colin.

    If you get a chance, could you go here ( https://zapier.com/ ) and sign up for a trial account.  Zapier does exactly what i'm trying to do.   I think they offer a free 14 day trial.  Once signed up you can create a Zap or go to the Connected Accounts section and setup your integration with your CRM account.  They appear to use the same authorize method i did  (see original post) when authorizing the app to the CRM user account.   I tried testing my CustomerCRM trial account -- which authorized their Zapier app just fine but when testing creating a Lead it would error out -- which i think is because it's a trial Dynamics CRM account.  

    Here are is their quick help page on MS Dynamics if your curious ... zapier.com/.../microsoft-dynamics  .  Anyway, if you get a chance to try it -- please let me know the results...

    I hate to ask someone to got through that but if i had a non-trial account i could do it... I guess i'm just going to have to pay for a 5 user Dynamics account in order to test this out.  Which i think is a bunch of crap that i can't just pay for a single dev license or something for testing -- but that's a rant for different post...

    Thanks for your help though Colin -- i appreciate it!

    -Michael

  • Community Member Profile Picture
    Community Member on at

    WOO HOO!  Got it figured out and it works with client_id and client_secret -- no need for user/pass combo.  

    For those who might be stuck or can't get it figured out...  The Azure AD account where you need to register the App is in the Azure AD associated with a paid Office365 account.   Also, when registering the App (set as Web/API type, and set as Multi-tenanted) in the Azure AD account, under 'Required Permissions' i had to add the API 'Dynamics CRM Online' to the list of API's and then check the '‘Access CRM Online as organization users' permission. Also make sure the Windows Azure Active Directory API permission 'Sign in and read user profile' is checked.  Also make sure to create a 'Key' to the app as well -- this is used as the 'client_secret' when requesting an 'access_token' later on...

    Then then using the authorize GET request as outlined in my original post (do not need to add a 'resource' parameter) in you browser, you can authorize your App even to a trial MS Dynamics CRM online account user.   This will ask you to login to your MS Account - once logged in it will ask you to authorize permissions for your app:

    • Sign you in and read your profile
    • Access CRM Online as you

    Once you accept the App is added to your user Apps and it returns a 'code' parameter to your Redirect URL.  You can then use this 'code' to the request an access_token  -- even using only the client_id and client_secret.  The only thing you need to know beforehand is the 'resource' of the CRM account you want to access via the API ( for example  somecustaccount.crm.dynamics.com ).  This is passed along with the request to get an access_token.  

    Then using the access_token you can use the Web API like normal!!!

    My whole issue was not creating the App in an Azure account tied to an Office365.   I think @Colin referred to this in his post above but it didn't click that i needed to have some sort of Office365 user in order to access someones CRM account - not a stand alone Azure AD account with no Office365 user.

    Let me know if anyone has questions...

     -Michael

  • Community Member Profile Picture
    Community Member on at

    Fyi,

    If i wasn't clear in the previous post -- the CRM Dynamics account that authorizes access to the App is completely separate and not tied at all to the Office365 account where the App registration is completed.   The App is able to access ANY MS Dynamics Account (tenant) as long as the the Dynamics user authorizes the App.

    Just wanted to make sure i was clear on explaining the accounts here...

    -Michael

  • Community Member Profile Picture
    Community Member on at

    Hello Michael and Colin,

    I am trying to create an enviroment like Michael initially suggested, where users havr their own AD with office and CRM and we provide Saas, they come to us, login with their credentials and our app access their CRM.

    I have not been able to do it.

    The external users logs in with me, my app is registered in their AD but without Crm access.

    I am sure Colin answer will work, but I don't want to tell my consuming companies to install software and complex configuration to connect with me.

    There should be another way, maybe exchanging a user?

    George Baxter

  • Community Member Profile Picture
    Community Member on at

    Hi Geogiam,

    Read my initial post on how i got everything setup.  Everything i listed is what i did EXCEPT for the second step (Signed up for a separate Azure account).  The Azure account where you register the App needs to be a paid Office365 account.  You can't just use a stand alone Azure account.  

    Using the setup as i outlined i was able to use the access_token to make request.

    Also, i guess one other thing i was doing wrong was forgetting to add 'https://' to the value for the 'resource' parameter when requesting the access_token.

    Hope that helps... i understand how frustrated you might be -- i spent WAY too much time trying to get it all figured out.  

    -Michael

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

#1
SA-08121319-0 Profile Picture

SA-08121319-0 4

#1
Calum MacFarlane Profile Picture

Calum MacFarlane 4

#3
Alex Fun Wei Jie Profile Picture

Alex Fun Wei Jie 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans