Or how to authenticate against the CRM 365 web-api, without a user-name and password.
Background: We had to write a web-service that communicated with CRM. And because it was going to be a web-service that was communicating with CRM web-api, we didnt want to use a user-name and password and instead, we wanted to just use . And hence the name “headless authentication”.
Create an Azure App Registration:
Background: We had to write a web-service that communicated with CRM. And because it was going to be a web-service that was communicating with CRM web-api, we didnt want to use a user-name and password and instead, we wanted to just use . And hence the name “headless authentication”.
Create an Azure App Registration:
- Login to Azure portal: https://portal.azure.com
- Navigate to the “App Registrations” blade, and add an app
- Click on “Add”
- Enter a value for name, set the application type to “Web App/API” and enter a sign-on URL (any value will do). Click Create
- Return to the “App Registrations” blade and select the new app you created in step 3.
- You should now see the essential settings of the app:
You will need the Application ID later. - Click on All Settings and then Choose “Required Permissions”. Click on Add
In “Select an API”, select the “Dynamics CRM Online” API and click Select.
Next under “Select Permissions”, select “Access CRM Online as organization users” and then click Select.
Finally, click Done. The result should look like this: - Next, click on “Keys” and add a new row, where you set the Description value to “key” (this can be any value), Expires: Never and then click “Save”.
The value field will update. Copy the value and save it. Once you leave this view, you will not be able to retrieve this key again. This is the shared secret your application will use to authenticate.
- Go to the “Security” options
- Choose the “Application Users” view
- Click New (make sure the User type is set to “Application User”)
- Set the application id to the value you from step 5 of Create an Azure App Registration.
- Enter an email and a name for the application user.
- Click Save.
- Click on “Manage Roles” and assign a role to the user (note: you cannot use a system role and you will need to use a custom role).
- Test the code using the repo: https://github.com/rajrao/Crm365HeadlessAuthentication
- I have new code that shows how to use Microsoft Authentication Library (MSAL) to connect to CRM here: https://github.com/rajrao/Crm365HeadlessAuthentication/blob/master/MsalBasedCrmAuthenticationHeadless/Program.cs
More info is now available at: https://msdn.microsoft.com/en-us/library/mt790169.aspx
ReplyDeleteThere has been considerable confusion on whether an "application user" needs a license or not. In June 2018, Microsoft has clarified that Application Users do not count towards the limits and do not use up licenses:
ReplyDeleteAll application users are created with a non-interactive user account, however they are not counted towards the five non-interactive user accounts limit. In addition, there is no limit on how many application users you can create in an instance.
https://docs.microsoft.com/en-us/dynamics365/customer-engagement/admin/create-users-assign-online-security-roles#create-an-application-user
https://github.com/MicrosoftDocs/dynamics-365-customer-engagement/commit/9068938aa7ca91f12b8744518bf5071ec4514530#diff-184905bb3786c535b8e1eedb5ba54cf2R258