Create a service principle to access Dynamics 365 / Dataverse API
Dustin Miner
- posted on
- Comments Off on Create a service principle to access Dynamics 365 / Dataverse API
Overview
Consider the scenario where an Azure function needs to connect to the Dynamics 365 API in order to retrieve data from a Dataverse table. As part of the connection process, it’s required that the Azure function use a service principle to authenticate via Azure AD
This post takes this example to describes how to:
- Register an app in Azure AD to implement OAuth2 authentication to the Dynamics 365 API
- Create an non-interactive application user in Dynamics 365 to authorise access to the DEV environment
- Configure an Azure Function to connect and authenticate to the Dynamics 365 API
Note:
- A user (user principle) sends a user/password (e.g. in a popup dialog) to authenticate in Azure AD
- A system (service principle) sends a Application Id/Client secret to authenticate in Azure AD, without any human involvement
Register an app (service principal) in Azure AD
Within the Azure portal (https://portal.azure.com), click on ‘App registrations’ & then ‘New registration’ (Figure 1)
Enter the application name and then click on ‘Register’ (Figure 2). In this example, one app registration is created to connect to three Dynamics 365 environments DEV, SIT & UAT. Note that one app could have been created for each Dynamics 365 environment
Click on ‘View API permissions’ (Figure 3). Take note of the Application Id (client Id) which will be required in the section below ‘Create a application user in the Dynamics 365 DEV environment’
Then click on ‘Add a permission’ (Figure 4)
Select ‘Dynamics 365’ (Figure 5) to request API permissions
For delegated permissions, select the user_impersonation checkbox (Figure 6)
To create a client secret for the app, select ‘New client secret’ (Figure 7). Take note of the client secret as this won’t be displayed again
The app setup is now complete (Figure 8)
This app can then be used to connect to the various Dynamics 365 / Dataverse environments
https://contosodev.crm6.dynamics.com
https://contososit.crm6.dynamics.com
https://contosouat.crm6.dynamics.com
Create a application user in the Dynamics 365 DEV environment
This next step is to create an application user in the https://contosodev.crm6.dyanmics.com environment (these steps would need to be repeated for SIT and UAT). This is required to control the level of access to the Dynamics 365 / Dataverse Web API. For example, to specify if the application user can delete records in Dataverse.
Note: This section describes the legacy way to create an Application User. The new way is via the Power Platform Admin Center isn’t described in this post.
Select the ‘Application Users’ view (Figure 9)
Enter the Application Id which was generated earlier (Figure 3)
Choose the required security role (not System Administrator as this would be a security risk)
Now it’s possible to connect to the API as explained in the following section
Develop a Azure Function to connect to the Dynamics 365 DEV environment
Create an Azure function which uses CrmServiceClient to connect to Dynamics 365 / Dataverse via the Azure AD (Figures 12 & 13). Note: although it’s not used in this post, it seems Microsoft is now recommends using the Dataverse ServiceClient rather than CrmServceClient
Note: ideally the client secret displayed in Figure 13 should be stored in the Azure key vault
Further reading
XRM.Navigation.navigateto a html web resource
References
OAuth Application Users in Dynamics 365
