Switching to OAuth in Dynamics 365 CDS/CRM/CE/Dataverse connections

27 July 2021
KingswaySoft Team

Switching your Authentication Type to OAuth in Dynamics 365 CDS/CRM/CE/Dataverse connections

Our Dynamics 365 toolkit started providing OAuth support over 3 years ago in our v10.0 release. While majority of our clients have switched their connections to use OAuth for the CDS and Dynamics CRM components, we have also seen many clients who have not switched over yet due to various reasons. In this blog post, we will quickly highlight why you should make the move by switching your connections to OAuth and then we will demonstrate how you could properly set up an OAuth connection for your CDS or CRM components.

First of all, let's have a quick review why you should switch to the OAuth authentication type. The following are some of the reasons:

  • OAuth is a modern application authentication and authorization infrastructure which provides some better security in protecting your data when it comes to data integration projects in processing or consuming your Dynamics 365, CDS or Dataverse data.
  • Online Federation has been deprecated by Microsoft (including the regional discovery service), which used to be the option that you would use to connect to your Dynamics 365 Online or CDS environment. As a result of the deprecation, the only appropriate authentication option for Dynamics 365 Customer Engagement online, CDS and Dataverse would be the OAuth option. If you are still using the Online Federation option, your connection should fail and you might receive the following error message:
    An error occurred when processing the security tokens in the message: You are using Ws-Trust authentication which has been deprecated and no longer supported in your environment. Please use OAuth2.0 authentication.
  • When setting up an OAuth connection properly, it can support a Dynamics 365 or CDS instance that has the Multi-Factor Authentication (MFA) enabled. MFA is a commonly used application security mechanism to better protect your application data. In working with a MFA environment, you would typically be utilizing the Certificate or Client Credentials OAuth type. Client Credentials is the option that we mainly discuss in this blog post.

However, setting up an OAuth connection is quite an involved process, switching to OAuth authentication involves a number of steps, which can be a bit confusing in the beginning if you have not worked on the concept before. In this post, we will walk you through the process with some great details to help you understand what is required and how OAuth works for our CDS/CRM connections. We hope this complements our online documentation page in its OAuth section, we hope this provides you some real-world configurations on how it can be properly achieved.

Now, let's get started.

To use OAuth, you need to make sure you have registered an Azure App, and you need to get the Client App ID and Client Secret from the Azure Portal.  

If you do not already have an Azure App, then to create a new Azure App please follow these steps (Note, if you do already have an Azure App, then after step 1, please skip to step 4):

  1. Log in to Azure Portal and navigate to Azure Active Directory in the same tenant as your Dynamics 365 instance.

  1. In the left pane, click on “App registrations”, then select “New registration”.

  1. On the Registration page, please ensure that you enter a Redirect URI. For the Redirect URI, you can supply any valid https URL.

  1. After you click Register, you should now see your app in the App registrations page. This is where you get your App ID.  Click on your App to continue on to adding permissions.

  1. In the left Navigation Pane, click on “API Permissions”. If you do not see a permission for Dynamics, click on “Add a permission” and select “Dynamics CRM” from the window that opens.

  1. Next, click on “Grant admin consent” to see the status change to Granted for the permissions. Please note that this step can also be done from our connection manager by clicking on the “Authorize” button there. If you do it here in the UI, then you will not need to click “Authorize” in our connection manager.

  1. To create your Client Secret, go to “Certifications & secrets” in the left Navigation Pane, then click on “New client secret”. Add a “Description” and “Expires” timeframe, then click “Add”. 

Please note that Client Secret is available to view and copy only at the time when it is created. If you forget to copy it at time of creation, there is no way to reveal the client secret. In such cases, all you can do is to create a new client secret and you may remove the unrecoverable client secret if you know it is not used elsewhere.

Your App is now created and registered with the required permissions and Client Secret.

Next you will also need to have an Application User created in your Dynamics 365 CE/CRM Environment. To create an Application User:

  1. First, login to the Power Platform Admin Center using the URL https://admin.powerplatform.microsoft.com/.

  2. From within the admin center, try to navigate to the Environment (or instance) that you would like to create the app user.
  3. Click the Settings button on the top.

  4. From within the Settings page, expand the Users + permissions section, and click on the Application user menu item.

  5. In the new page, click the New app user button on top.

  6. In the popup window, click the Add an app button.

  7. Now you should be able to select the app that you have previously created.

  8. After all, you would select the business unit that the user belongs to, and give it a proper security role to complete the creation of the app user.

Your Application User is now created and set up.  You do not need any of the information from the above User forms for the KingswaySoft connection manager, but if you did not have the App User created, you would encounter errors when using the connection.

Now we are ready to create the connection in SSIS

Once you have completed the above steps, you may now head to your SSIS development environment to complete the connection setup. If it is a package with existing connection, you may simply switch your CDS/CRM connection to use OAuth. Or otherwise if your package does not currently have any connection, you may simply create one. As you can see from the screenshot below, we are using all the information gathered above to fill out the connection properties for the OAuth connection.

Closing Notes

In this blog post, we only covered the Client Credentials option. However, the OAuth authentication in the CDS/CRM connection manager supports additional options which we didn't cover this blog post, they can be useful in other scenarios.

  • Password: The Password OAuth Type uses username and password along with the Client Id and secret.
  • Client Credentials: This is what we have discussed in this blog post.
  • Certificate: This uses a certificate key pair, out of which the public key would be uploaded to your Azure AD App, and the private key is installed on the machine or your server to generate a thumbprint to be used in the connection manager.
  • Interactive login (since v21.1): This option should be used only at design time to test, which uses interactive UI based login.
In short, OAuth is a recommended approach to work with Dynamics 365 CDS/CRM/Dataverse authentication. You could easily switch to it by following the above steps without losing any functionalities, you are better protected with the new authentication options.

Archive

December 2024 1 November 2024 3 October 2024 1 September 2024 1 August 2024 2 July 2024 1 June 2024 1 May 2024 1 April 2024 2 March 2024 2 February 2024 2 January 2024 2 December 2023 1 November 2023 1 October 2023 2 August 2023 1 July 2023 2 June 2023 1 May 2023 2 April 2023 1 March 2023 1 February 2023 1 January 2023 2 December 2022 1 November 2022 2 October 2022 2 September 2022 2 August 2022 2 July 2022 3 June 2022 2 May 2022 2 April 2022 3 March 2022 2 February 2022 1 January 2022 2 December 2021 1 October 2021 1 September 2021 2 August 2021 2 July 2021 2 June 2021 1 May 2021 1 April 2021 2 March 2021 2 February 2021 2 January 2021 2 December 2020 2 November 2020 4 October 2020 1 September 2020 3 August 2020 2 July 2020 1 June 2020 2 May 2020 1 April 2020 1 March 2020 1 February 2020 1 January 2020 1 December 2019 1 November 2019 1 October 2019 1 May 2019 1 February 2019 1 December 2018 2 November 2018 1 October 2018 4 September 2018 1 August 2018 1 July 2018 1 June 2018 3 April 2018 3 March 2018 3 February 2018 3 January 2018 2 December 2017 1 April 2017 1 March 2017 7 December 2016 1 November 2016 2 October 2016 1 September 2016 4 August 2016 1 June 2016 1 May 2016 3 April 2016 1 August 2015 1 April 2015 10 August 2014 1 July 2014 1 June 2014 2 May 2014 2 February 2014 1 January 2014 2 October 2013 1 September 2013 2 August 2013 2 June 2013 5 May 2013 2 March 2013 1 February 2013 1 January 2013 1 December 2012 2 November 2012 2 September 2012 2 July 2012 1 May 2012 3 April 2012 2 March 2012 2 January 2012 1

Tags