Server-to-Server authentication for the Microsoft Dynamics web API

To connect to the Microsoft Dynamics web API from another server you can use OAuth v2.0 with the client_credentials grant. Making request to obtain the OAuth token is very simple.

The tenant ID is obtained from the azure portal, under manage properties and is indicated as the directory ID

You can obtain the value for the scope from the dynamics portal by visiting Settings > Customization > Developer Resources and looking at the service root URL.

requests.post(
      f'https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token',
        data={
            'client_id': settings.DYNAMICS_CLIENT_ID,
            'scope': 'https://*********.api.crm*.dynamics.com/.default',
            'client_secret': settings.DYNAMICS_CLIENT_SECRET,
            'grant_type': 'client_credentials',
        }
    )

A number of steps are required to make this work.

Register an OAuth App in Azure AD

There is a walkthrough of registering an OAuth app on Azure AD. The essential process is to use the Active Directory section of the Azure management portal to register a new application, give it the Dynamics 365 (online)Delegated Permissions permission, and create a new secret for it.

Note that the redirect URI you enter doesn’t actually need to identify a real reachable resource.

Obtain Admin Consent for Dynamics 365

To obtain admin consent for the app, put the following URL in to a web browser. In the URL you must fill in the ID of the OAuth App you registered in the previous step, and also the redirect URI you registered for that App.

https://login.microsoftonline.com/{tenant}/adminconsent?client_id={your_client_id}&state=12345&redirect_uri={your_redirect_uri}

Configure a System User on Dynamics 365

In order to use your approved OAuth client you need to create a corresponding system user on Dynamics itself. This user does not require a license.

You need to create an appropriate security role for this user. Then create the user, ensuring that you select the Application user form. The Application ID must match the one that you registered with Azure. The strange padlock icon on some of the fields means that you should not fill them in because they will be looked up using the Application ID

NOTE: you may find it useful to give the security role the prvActOnBehalfOfAnotherUser permission to allow your service to impersonate other users.

You will also need to give the new system user sufficient permissions to take the actions that your application will perform. Both the system user and the impersonated user must have permissions in order for the action to be permitted.

Make Requests using the token

You should now be able to make requests using the token:

    api_root = 'https://********.api.crm*.dynamics.com/api/data/v9.0/'
 
    r = requests.get(
        api_root + 'systemusers',
        params={
            f"$filter": "internalemailaddress eq '{email}'",
            "$select": "internalemailaddress",
        },
        headers={
            'Authorization': 'Bearer ' + token,
        })

To impersonate a user you have to send a custom header with the correct ID for the particular user you want to impersonate. You can find the ID of a user using the request in the example above.

'MSCRMCallerID': systemuserid