Hi,
I thought I finally figured out OAuth authentication, but now it seems I am missing something in relation to Dynamics 365 CRM. Here is the scenario: A record change in Dynamics 365 CRM is sending a message to an Azure ServiceBus Queue. This triggers an Azure Function which should retrieve records from Dynamics 365 CRM - using the oData endpoint - for processing.
As an Azure Function is a background process without an active user interaction, oAuth authentication needs to happen in the background. I figured to register the Azure Function as an app in Azure AD and use the ClientId (and secret) to access Dynamics CRM. But as Dynamics CRM only has Delegated Permissions (require a user context) and no Application Permissions this isn't going to work (as far as I understand).
The workaround is to provide a username and password (in the UserCredentials object) and perform authentication using these. This only requires the admin to consent the app for all users in Azure AD. This seems to work (using ADAL v2), but in ADAL v3 the option to supply username and password in UserCredentials is removed so this doesn't seem like a future proof solution.
Are there a (good) solution to make this work. I would like to use Azure Functions for all kinds of background and batch operations for CRM but the authentication is a problem. Is there a way to get the active credentials (clientId) from the logged in CRM user to the function app. Maybe by using an authenticated HTTP trigger on the functions app? How to get the credentials from a plugin to the functions app? And calling other function apps (which have storage queue triggers) to access these credentials.
Any suggestions are welcome, or a way to convince Microsoft to add Application Permissions to Dynamics CRM.
Thanks in advance,
Arjan
P.S. CRM Data Export Service, Portals and Voice of the Customer seem to use service-to-service authentication without client credentials?!
