Thursday, February 02, 2017

Headless Authentication against CRM 365 WebApi

Or how to authenticate against the CRM 365 web-api, without a user-name and password.
Background: We had to write a web-service that communicated with CRM. And because it was going to be a web-service that was communicating with CRM web-api, we didnt want to use a user-name and password and instead, we wanted to just use . And hence the name  “headless authentication”.
Create an Azure App Registration:
  1. Login to Azure portal: https://portal.azure.com
  2. Navigate to the “App Registrations” blade, and add an app
    1. Click on “Add”
    2. image
    3. Enter a value for name, set the application type to “Web App/API” and enter a sign-on URL (any value will do). Click Create
      image
    4. Return to the “App Registrations” blade and select the new app you created in step 3.
    5. You should now see the essential settings of the app:
      image
      You will need the Application ID later.
    6. Click on All Settings and then Choose “Required Permissions”. Click on Add
      image
      In “Select an API”, select the “Dynamics CRM Online” API and click Select.
      Next under “Select Permissions”, select “Access CRM Online as organization users” and then click Select.
      image
      Finally, click Done. The result should look like this:
      image
    7. Next, click on “Keys” and add a new row, where you set the Description value to “key” (this can be any value), Expires: Never and then click “Save”.
      image
      The value field will update. Copy the value and save it. Once you leave this view, you will not be able to retrieve this key again. This is the shared secret your application will use to authenticate.
Setup a CRM user for the application
  1. Go to the “Security” options
    image
  2. Choose the “Application Users” view
    image
  3. Click New (make sure the User type is set to “Application User”)
  4. Set the application id to the value you from step 5 of Create an Azure App Registration.
  5. Enter an email and a name for the application user.
  6. Click Save.
  7. Click on “Manage Roles” and assign a role to the user (note: you cannot use a system role and you will need to use a custom role).
Create a console app to test the code
  1. Test the code using the repo: https://github.com/rajrao/Crm365HeadlessAuthentication
  2. I have new code that shows how to use Microsoft Authentication Library (MSAL) to connect to CRM here: https://github.com/rajrao/Crm365HeadlessAuthentication/blob/master/MsalBasedCrmAuthenticationHeadless/Program.cs

2 comments:

Raj Rao said...

More info is now available at: https://msdn.microsoft.com/en-us/library/mt790169.aspx

Raj Rao said...

There has been considerable confusion on whether an "application user" needs a license or not. In June 2018, Microsoft has clarified that Application Users do not count towards the limits and do not use up licenses:



All application users are created with a non-interactive user account, however they are not counted towards the five non-interactive user accounts limit. In addition, there is no limit on how many application users you can create in an instance.



https://docs.microsoft.com/en-us/dynamics365/customer-engagement/admin/create-users-assign-online-security-roles#create-an-application-user



https://github.com/MicrosoftDocs/dynamics-365-customer-engagement/commit/9068938aa7ca91f12b8744518bf5071ec4514530#diff-184905bb3786c535b8e1eedb5ba54cf2R258