web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Customer experience | Sales, Customer Insights,... / Document Agent SPA issue
Customer experience | Sales, Customer Insights,...
Suggested Answer

Document Agent SPA issue

(3) ShareShare
ReportReport
Posted on by CM-18071610-0 7
We are trying to follow Steps to Implement Service Principal Authentication (General Guidance): Has anyone completed this successfully and how? We have a on prem server running Document agent Routing and have communication issues since we are using D365 F&O and the two systems not communicating since one is on prem and the other cloud, and a cloud print server azure joined is not an option 
 

Steps to Implement Service Principal Authentication (General Guidance):

  1. Azure AD App Registration:
    • Go to the Azure portal.
    • Navigate to "Azure Active Directory" > "App registrations".
    • Click "New registration".
    • Give your application a name (e.g., "DocumentRoutingServiceApp").
    • Select the supported account types (usually "Accounts in this organizational directory only").
    • For "Redirect URI (optional)," you don't need to configure anything for a service application.
    • Click "Register".
  2. Get Client ID: Note down the "Application (client) ID" from the app registration overview.
  3. Generate Client Secret:
    • Go to "Certificates & secrets" under your app registration.
    • Click "New client secret".
    • Add a description and choose an expiration period.
    • Click "Add".
    • Copy the secret value immediately and store it securely. You won't be able to retrieve it again.
  4. Grant API Permissions:
    • Go to "API permissions" under your app registration.
    • Click "Add a permission".
    • Select "Dynamics 365" (or "Microsoft CRM").
    • Choose "Delegated permissions" or "Application permissions" depending on how the service needs to interact. Application permissions are generally preferred for service applications.
    • Grant the necessary permissions (e.g., user_impersonation under Dynamics CRM).
    • Click "Grant admin consent for [Your Tenant]".
  5. Create Application User in Dynamics 365:
    • Go to your Dynamics 365 instance.
    • Navigate to Settings > Security > Users.
    • Change the view to "Application Users".
    • Click + New.
    • Fill in the required details:
      • User Name: A descriptive name (e.g., "DocumentRoutingService").
      • Application ID: Enter the Application (client) ID you copied from Azure AD.
    • Assign Security Role(s): Assign the necessary security roles to this application user. Start with System Administrator for testing, but ideally, grant the least privilege required.
    • Save the application user.
  6. Configure Document Routing Service:
    • Update the configuration files of your Document Routing Service to use:
      • Client ID: The Application (client) ID.
      • Client Secret: The secret you generated.
      • Tenant ID: Your Azure AD Directory (tenant) ID.
      • Dynamics 365 URL: The URL of your Dynamics 365 instance.
      • Authentication Method: Ensure it's set to use MSAL with Client Credentials flow.

By properly configuring the service with a dedicated Service Principal, you should be able to resolve the login error and have Document Routing run successfully as a service without relying on the interactive user session. Remember to consult the specific documentation for your Document Routing Service for detailed configuration instructions.

Categories:
Microsoft Dynamics CRM
I have the same question (0)
  • Suggested answer
    Muhammad Shahzad Shafique Profile Picture
    Muhammad Shahzad Sh... 2,375 Most Valuable Professional on at
    1. Service Principal Authentication in DRA is Not Fully Supported Out-of-the-Box
    • The current Document Routing Agent (DRA) is primarily designed to authenticate using interactive user credentials (AAD auth with a UI prompt).
    • Service Principal (Client Credentials Flow) is not natively supported yet in DRA configuration.
    Note: Even with a valid App Registration and Application User in D365, the DRA won't use the service principal unless explicitly modified to support MSAL-based client credentials flow.

    What Works
    1: Use an Azure VM or Hybrid-Joined Print Server
    • Host the DRA on an Azure AD Hybrid-joined VM (with line-of-sight to your on-prem printers).
    • Use interactive AAD login for DRA to connect to D365 F&O — this is the only fully supported method today.
    2: Use Windows Credential Locker + Auto-Login Script
    • Install DRA under a service account.
    • Use PowerShell to pre-login once with Add-Account to store AAD credentials in Credential Locker.
    • DRA picks that up and avoids prompting.

    Best Practice (Current State)
    Until Microsoft adds native support for service principal auth in DRA:
    • Use interactive login on hybrid-joined or Azure-joined machines.
    • Regularly monitor token expiry or session timeouts.
    • Track feature updates via the DRA GitHub repo or Dynamics 365 release plans.
    You can still use service principals for other integrations (Power Automate, APIs, custom connectors), just not DRA until officially supported.
  • Hamza H Profile Picture
    Hamza H 1,826 Super User 2026 Season 1 on at
    Document Routing Agent (DRA) and Service Principal Authentication – Summary
    Service Principal (client credentials) authentication is not fully supported out-of-the-box in the current Document Routing Agent. DRA is designed for interactive Azure AD login, and won’t use service principal credentials even if you configure an app registration and application user in D365 F&O.
    What works today:
    1. Azure AD or hybrid-joined VM: Host DRA on a machine joined to Azure AD or hybrid-joined, then authenticate using an interactive AAD login.
    2. Credential locker workaround: Use PowerShell to log in once with a service account and store credentials in Windows Credential Locker. DRA can reuse these.
    Best practice:
    Until Microsoft adds native support, use interactive login on Azure/hybrid-joined machines and monitor sessions. Service principal authentication can still be used for other integrations like APIs or Power Automate.

     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Stars!

Meet the Microsoft Dynamics 365 Contact Center Champions

We are thrilled to have these Champions in our Community!

Congratulations to the March Top 10 Community Leaders

These are the community rock stars!

Leaderboard > Customer experience | Sales, Customer Insights, CRM

#1
ManoVerse Profile Picture

ManoVerse 184 Super User 2026 Season 1

#2
11manish Profile Picture

11manish 125

#3
CU11031447-0 Profile Picture

CU11031447-0 100

Last 30 days Overall leaderboard

Featured topics

Hide selecting Contact for potential customer when creating quote

Product updates

Dynamics 365 release plans