web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Finance | Project Operations, Human Resources, ... / HTTP 403 error by call...
Finance | Project Operations, Human Resources, ...
Answered

HTTP 403 error by calling OData entities via app

(0) ShareShare
ReportReport
Posted on by pavel.stikhin 35

Hi all


We are trying to make a call to an DAX-365 FO system via an app (using client id and secret id)

1) the app is registered in azure portal, the following delegates are granted: Odata.FullAccess, Connecotr.FullAccess, CustomerService.FullAccess, AX.FullAccess

2) in FO the ClientId is registered in Azure Active Directory applications. The corresponding user has an SysAdmin role and is enabled.


The call is failed with an http 403 error.


After we have tried to change in FO the user (to another one from an other registered application, we could make the call.

Both the users have identical rights in FO: SysAdmin and SysUser roles.

What else should be checked / set up for the user given on the FO form "Azure Active Directory applications" to get the call working?


Best regards
Pavel

I have the same question (0)
  • Suggested answer
    nmaenpaa Profile Picture
    nmaenpaa 101,160 Moderator on at

    Did you add your D365FO system URL in the reply URL list of the AAD application?

  • pavel.stikhin Profile Picture
    pavel.stikhin 35 on at

    You mean the form "Azure Active Directory applications" in FO? Yes, we have two applications there, one of them is from us. And for the linked user the call failed. When we change the user on our registration entry to the user from another application, it works.

  • Suggested answer
    nmaenpaa Profile Picture
    nmaenpaa 101,160 Moderator on at

    No, I mean the AAD application settings in Azure portal.

  • Sukrut Parab Profile Picture
    Sukrut Parab 71,710 Moderator on at

    You must have already checked but can you confirm if the other user is enabled in F&O?

  • pavel.stikhin Profile Picture
    pavel.stikhin 35 on at

    Yes, both users are enabeld in FO.

  • pavel.stikhin Profile Picture
    pavel.stikhin 35 on at

    Hi Nikolaos

    I can check the setting (I am quite sure, that it is done), but strange is the fact, that change of user in FO make the app calls fail / work. So, I guess, that there should be a parameter setting concerning users (in Azure portal).

  • Suggested answer
    nmaenpaa Profile Picture
    nmaenpaa 101,160 Moderator on at

    Ok, if the same app id works when you set up a different user in D365FO AAD Applications form, then the issue is not in the AAD application. Then the issue must obviously be in the user settings in D365FO (or AAD).

    Please double check that the user is enabled in AAD and D365FO.

    Can you login to D365FO with this user? That's of course the first thing to try before more advanced use cases such as integrations.

    What do you mean by this: "After we have tried to change in FO the user (to another one from an other registered application, we could make the call."  What "other registered application"? Do you have one or many AAD app registrations?

  • pavel.stikhin Profile Picture
    pavel.stikhin 35 on at

    Hi Nikolaos

    Our user (let's call it user1), which I meant, is enabled in FO and we can log in with him.

    Yes, there is another registered application, in FO it has another user (let's call it user2), which has identical security roles as user1.

    After we change the mapping by our application from user1 to user2 we get the app call working.

    Another detail: we can get data from data entities directly via browser logged in by user1.

  • nmaenpaa Profile Picture
    nmaenpaa 101,160 Moderator on at

    Just to summarize and check that I understood the important details correctly.

    You have a record in Azure Active Directory Application form in D365FO. When this record is associated to User 2, you can call OData endpoint from your external application without issues. When this record is associated to User 1, the OData call fails with http 403 error.

    Both users User 1 and User 2 can login manually to the system without issues.

    Is this correct?

    Are both users from the same AAD tenant? 

  • pavel.stikhin Profile Picture
    pavel.stikhin 35 on at

    Thank's for the summarization, it is correct.

    Both users are from different tenants, is that an origin?

    User1 can nevetheless access odata via browser (but not via app calls).

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Finance | Project Operations, Human Resources, AX, GP, SL

#1
Martin Dráb Profile Picture

Martin Dráb 544 Most Valuable Professional

#2
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 450 Super User 2025 Season 2

#3
Sohaib Cheema Profile Picture

Sohaib Cheema 250 User Group Leader

Last 30 days Overall leaderboard

Featured topics

End-of-life Announcement for Microsoft Dynamics GP

Product updates

Dynamics 365 release plans