Thursday, February 02, 2017

Headless Authentication against CRM 365 WebApi

Or how to authenticate against the CRM 365 web-api, without a user-name and password.

Background: We had to write a web-service that communicated with CRM. And because it was going to be a web-service that was communicating with CRM web-api, we didnt want to use a user-name and password and instead, we wanted to just use . And hence the name  “headless authentication”.

Create an Azure App Registration:

  1. Login to Azure portal: https://portal.azure.com
  2. Navigate to the “App Registrations” blade, and add an app
    1. Click on “Add”
    2. image
    3. Enter a value for name, set the application type to “Web App/API” and enter a sign-on URL (any value will do). Click Create
      image
    4. Return to the “App Registrations” blade and select the new app you created in step 3.
    5. You should now see the essential settings of the app:
      image
      You will need the Application ID later.
    6. Click on All Settings and then Choose “Required Permissions”. Click on Add
      image
      In “Select an API”, select the “Dynamics CRM Online” API and click Select.
      Next under “Select Permissions”, select “Access CRM Online as organization users” and then click Select.
      image
      Finally, click Done. The result should look like this:
      image
    7. Next, click on “Keys” and add a new row, where you set the Description value to “key” (this can be any value), Expires: Never and then click “Save”.
      image
      The value field will update. Copy the value and save it. Once you leave this view, you will not be able to retrieve this key again. This is the shared secret your application will use to authenticate.

Setup a CRM user for the application

  1. Go to the “Security” options
    image
  2. Choose the “Application Users” view
    image
  3. Click New (make sure the User type is set to “Application User”)
  4. Set the application id to the value you from step 5 of Create an Azure App Registration.
  5. Enter an email and a name for the application user.
  6. Click Save.
  7. Click on “Manage Roles” and assign a role to the user (note: you cannot use a system role and you will need to use a custom role).

Create a console app to test the code

  1. Test the code using the repo: https://github.com/rajrao/Crm365HeadlessAuthentication

6 comments:

Raj Rao said...

More info is now available at: https://msdn.microsoft.com/en-us/library/mt790169.aspx

jacob wallace said...


Wonderful blog!!! I liked the complete article…. great written,Thanks for all the information you have provided…

John James said...


I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well.

Ethan MOORE said...


Blogs are not just for socializing with others but it can also give us useful information like this post.

dedicated hosting said...


You bring up some interesting points to consider.

Toby O'Donnell said...

Thank you. Controlling the conduct of business with the help of CRM is the opportunity for productive communication with the client. Such software protects first of all my interests as a businessman. The majority of people don’t do a single thing to improve management. Instead, must work more but get less. So I advise to look at this site . And familiarize yourself with the CRM software which will ensure interaction with clients and rational management of affairs. Good luck in business!