web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Customer experience | Sales, Customer Insights,... / CrmServiceClient Conne...
Customer experience | Sales, Customer Insights,...
Suggested Answer

CrmServiceClient Connectionstring or certificate authentication security

(0) ShareShare
ReportReport
Posted on by Mike Sowerbutts 5

I am writing a publicly available middleware web application to enable our application to communicate with Dynamics 365 to read and write data (i.e. Opportunities etc.)

Currently, i have implemented certificate based authentication, where the certificate is stored within the Azure App Service, the Certificate Thumbprint is stored within the app service's app settings and the Dynamics 365 instance url is provided via a JavaScript call to:

var globalContext = Xrm.Utility.getGlobalContext();
var url = globalContext.getClientUrl();

from some JavaScript in a Dynamics Web Resource that acts as an entry point to our application from within Dynamics (from a button click, the WebResource code is executed, which then does a window.open to the url of our application with some query string parameters generated via the Web Resource's JavaScript code)

I instantiate a new CrmServiceClient like this:

serviceClient = new CrmServiceClient(null, StoreName.My, KeyVaultConfig.CertificateThumbprint, new Uri(instanceUrl), true, null, KeyVaultConfig.RegisteredAppClientId, null, null);

The serviceClient.OrganizationServiceProxy is then cast as an IOrganizationService which is then used throughout the rest of the application to read and write data to Dynamics 365.

This all works fine, but i am very concerned about a security issue, if a hacker gets the URL to our application, with the appropriate querystring paramaters (i.e. the organisation's dynamics 365 instance url) they effectively have access to the Dynamics 365 instance via our application, because there are no other authentication checks carried out.

In other CRM integrations (i.e. Salesforce.com) we use the current SessionId of the user to pass to our application which has an expiry period, meaning if a hacker managed to get the URL, their access would expire soon after. This is not the case with Dynamics 365.

Does anyone have any suggestions I can implement to make this more secure? I dont want to add in an additional username/password prompt screen to the application every time it is accessed from within Dynamics 365 as this will put people off using it.

I have the same question (0)
  • Suggested answer
    Jean Joel Kakou Profile Picture
    Jean Joel Kakou on at

    Hello Mike,

    You should add some additional condition access to the service for the group of user that will connect to the application:

    -Create a Conditional Access policy to block access to the Common Data Service

    it should be assigned to a group of users  - docs.microsoft.com/.../concept-conditional-access-users-groups

    In cloud apps, select Common Data Service (this is the main resource for Dynamics Apps) - docs.microsoft.com/.../concept-conditional-access-cloud-apps

    set the application to Block access - docs.microsoft.com/.../howto-conditional-access-policy-block-access

    this configuration will block the access of the group of users that are trying to access Common Data Service

    docs.microsoft.com/.../concept-conditional-access-cloud-apps

  • Mike Sowerbutts Profile Picture
    Mike Sowerbutts 5 on at

    Hey - thanks. But can this be applied accross different activie directories? 

    I.e. the App Registration is accessible outside my company's AD. We sell licences to customers who have their own AD etc.

    What youre suggesting looks good, but i guess its only possible to manage within our own AD?

  • Jean Joel Kakou Profile Picture
    Jean Joel Kakou on at

    One question that I have is how you will provide access to your customer?

    May be this will help you:  docs.microsoft.com/.../conditional-access

    if the authentication happens for the B2B guest user when requests access to a resource. The resource redirects the user to its resource tenant, a trusted IdP.

    It is important to understand the goal to provide more guidance.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Customer experience | Sales, Customer Insights, CRM

#1
Tom_Gioielli Profile Picture

Tom_Gioielli 70 Super User 2025 Season 2

#2
Gerardo Rentería García Profile Picture

Gerardo Rentería Ga... 33 Most Valuable Professional

#3
Daniyal Khaleel Profile Picture

Daniyal Khaleel 32 Most Valuable Professional

Last 30 days Overall leaderboard

Featured topics

Hide selecting Contact for potential customer when creating quote

Product updates

Dynamics 365 release plans