Create a service principle to access Dynamics 365 / Dataverse API

Overview

Consider the scenario where an Azure function needs to connect to the Dynamics 365 API in order to retrieve data from a Dataverse table. As part of the connection process, it’s required that the Azure function use a service principle to authenticate via Azure AD

This post takes this example to describes how to:

  1. Register an app in Azure AD to implement OAuth2 authentication to the Dynamics 365 API
  2. Create an non-interactive application user in Dynamics 365 to authorise access to the DEV environment
  3. Configure an Azure Function to connect and authenticate to the Dynamics 365 API

Note:

  • A user (user principle) sends a user/password (e.g. in a popup dialog) to authenticate in Azure AD
  • A system (service principle) sends a Application Id/Client secret to authenticate in Azure AD, without any human involvement

Register an app (service principal) in Azure AD

Within the Azure portal (https://portal.azure.com), click on ‘App registrations’ & then ‘New registration’ (Figure 1)

Figure 1

Enter the application name and then click on ‘Register’ (Figure 2). In this example, one app registration is created to connect to three Dynamics 365 environments DEV, SIT & UAT. Note that one app could have been created for each Dynamics 365 environment

Figure 2

Click on ‘View API permissions’ (Figure 3). Take note of the Application Id (client Id) which will be required in the section below ‘Create a application user in the Dynamics 365 DEV environment’

Figure 3

Then click on ‘Add a permission’ (Figure 4)

Figure 4

Select ‘Dynamics 365’ (Figure 5) to request API permissions

Figure 5

For delegated permissions, select the user_impersonation checkbox (Figure 6)

Figure 6

To create a client secret for the app, select ‘New client secret’ (Figure 7). Take note of the client secret as this won’t be displayed again

Figure 7

The app setup is now complete (Figure 8)

Figure 8

This app can then be used to connect to the various Dynamics 365 / Dataverse environments

https://contosodev.crm6.dynamics.com

https://contososit.crm6.dynamics.com

https://contosouat.crm6.dynamics.com

Create a application user in the Dynamics 365 DEV environment

This next step is to create an application user in the https://contosodev.crm6.dyanmics.com environment (these steps would need to be repeated for SIT and UAT). This is required to control the level of access to the Dynamics 365 / Dataverse Web API. For example, to specify if the application user can delete records in Dataverse.

Note: This section describes the legacy way to create an Application User. The new way is via the Power Platform Admin Center isn’t described in this post.

Select the ‘Application Users’ view (Figure 9)

Figure 9

Enter the Application Id which was generated earlier (Figure 3)

Figure 10

Choose the required security role (not System Administrator as this would be a security risk)

Figure 11

Now it’s possible to connect to the API as explained in the following section

Develop a Azure Function to connect to the Dynamics 365 DEV environment

Create an Azure function which uses CrmServiceClient to connect to Dynamics 365 / Dataverse via the Azure AD (Figures 12 & 13). Note: although it’s not used in this post, it seems Microsoft is now recommends using the Dataverse ServiceClient rather than CrmServceClient

Figure 12

Note: ideally the client secret displayed in Figure 13 should be stored in the Azure key vault

Figure 13

Further reading

XRM.Navigation.navigateto a html web resource

References

OAuth Application Users in Dynamics 365

https://learn.microsoft.com/en-us/answers/questions/32034/azure-ad-authentication-for-same-application-in-mu

https://www.youtube.com/watch?v=RLnQqJY7Hss&t=215s

https://www.youtube.com/watch?v=fEmcg0RRcdg