Authentication to the Dynamics 365 oData API (CRM) is something that all CRM Developers have been busy with. Previously, this was done by a normal user. The downside of this method is that the CRM web interface can be used with this user as well. Some versions ago, Microsoft introduced the concept of “Non-Interactive” users (see this article). This was already a huge step forward from security point of view. We could use a user now that didn’t have access to the web interface. There is still a downside to this: a username and password need to be stored somewhere. Since a username mostly has some kind of logic in it’s name, this can be predicted and may be available with an attack. Conclusion: still not so secure as you’d want to.
Introducing the AppId for Dynamics 365 oData API
Microsoft created the ability to authenticate to the Dynamics 365 oData API with the use of an AppId (in the December 2016 update)! Together with a secret, this replaces the username and password. Guess what: readability and logic are far more complex with an AppId and a secret, than usename and password. Again a great step forward in security. So to wrap up:
- A username and password are readable and therefore less safe
- An Appid and Secret are far more difficult to read and therefore safer
If you want this, please read on and I’ll describe what steps you should take to use this new feature.
Steps to take to implement the AppId
A quick overview of the steps for the quickies is here:
1. Create an Application with AppID and Secret in Azure Active Directory
2. Assign the Dynamics CRM Online API rights to the Application
3. Create an application user in CRM and attatch the AppId
Now here we go for the deep-dive.
Create an Application with AppID and Secret in Azure Active Directory
- Sign in to the Azure Portal and Azure AD tenant by selecting your account in the top right corner of the page.
- On the left side of the page, go to Azure Active Directory and select App registrations.
- Click New application registration and provide the name. The application type must be Web app / API. You can chose any valid URL as Sign-on URL.
Assign the Dynamics CRM Online API rights to the Application
- Open the new App registration and select Required permissions. Click Add, Select an API and Chose Dynamics CRM Online. Select all permissions and click Select and Done. Now the permissions should look like this.
- Now select Keys and create a new Key. Save the Key for later, this is the Secret you need to authenticate. Together with your Application ID, you are now done creating the Application.
Create an application user in CRM and attatch the AppId
- Go to the CRM users and open the Application Users view.
- Click New and you’ll get a special form for Application Users. Here you’ll provide the Application ID of the registrated application, a full name that sounds logical to you and a primary email. This e-mail must contain an existing domain within the same tenant.
- For the final step, assign a custom security role to this user. Please make sure it’s a custom security role. A default security role won’t do.
Sample Code and Libraries
If you want to test if authentication works properly, you can download and use this VS project. If you change the config-file and you run the project, you should see your 5 first Accounts.
Since not everyone uses C# for their projects, you should know Microsoft also has the ADAL Libraries in all kinds of programming languages. ADAL stands for Azure Active Directory Authentication, which you can use to authenticate to Dynamics 365 Online as well. You can find the ADAL Libraries here.