Rajeev Pentyala – Microsoft Power Platform

In this article I am going to explain, what is ‘Application User’ and how it helps to establish using Server-to-Server (S2S) authentication and Azure Active Directory

To explain the S2S authentication simpler, let’s take an integration requirement

• You have an ASP.Net Web Application
• You need pull the Contacts from a CRM organization and display in the ASP.Net Web Page

The conventional design approach for the above requirement would be

• Establish the CRM connection in your ASP.Net page by passing CRM User credentials
• Make a Retrieve call to CRM
• Read and bind the Contacts to a grid.

To implement the above design you need to have a paid CRM User credentials to interact with your Dynamics CRM organization.

So what is S2S authentication and how is it different from the legacy integration model we discussed above.

Server-to-Server (S2S) authentication:

• S2S authentication means you don’t need to use a paid Dynamics 365 user license when you connect to Dynamics 365 tenants.
• We will use a special user (i.e., Application User)
• Best part is, you can connect to D365 and make server calls from your application (i.e.,Web/Console) with no Dynamics SDK dlls and no ‘UserID/Password’.

What is this ‘Application User’:

• ‘Application User’ is a ‘systemuser’ record of type ‘Application User’
• There is no license fee for the ‘Application User’ account

How an ‘Application User’ account achieve the S2S authentication:

•  ‘Application User’ with conjunction of Azure Active Directory (Azure AD) will establish S2S authentication.
• We first generates an ‘Application ID’ in Azure AD which we set in ‘Application User’ in Dynamics.

Lets see the step by step approach to achieve S2S authentication.

• Pre-requisites:
  • Dynamics 365 instance
  • Azure Subscription with same Office 365 account used for your D365 instance.
• High Level Steps
  • Generate ‘Application ID’ and ‘Keys’ in ‘Azure’
  • Add a new User in ‘Azure Active Directory’ (Azure AD)
  • Create a new ‘Application User’ in Dynamics 365

Step 1 – Generate ‘Application ID’ and ‘Keys’ in ‘Azure’:

• Connect to your Azure
• Go to ‘App registrations’ service

• Create a ‘New application registration’
  • Note: ‘Sign-on URL’ can be any valid URL.

• Copy the generated ‘Application ID’ (This is needed while creating ‘Application User’ in CRM)

• Generate ‘Keys’ (You need the ‘Key’ to establish connection in your Web Application/Console Application)

• Save the ‘Key’ (Note: You cannot read the key if you move away from the screen)

Step 2 – Add a new User in ‘Azure Active Directory’ (Azure AD):

• Connect to your Azure
• Go to ‘Users’ service

• Create a ‘New User’
  • Note: ‘Password’ auto generates once you save. You don’t need to copy as this is not required further.

• Once the User saved, copy the ‘User Name’ (This is needed while creating ‘Application User’ in CRM)

Step 3 – Create a new ‘Application User’ in Dynamics 365:

This step we are going to create an ‘Application User’ in D365 by copying the details generated in Azure

• Connect to Dynamics 365
• Go to ‘Settings -> Security -> Users
• Switch the view to ‘Application Users’ and click ‘New’

• In the ‘New User’ screen
  • Set ‘User Name’ with the ‘User Name’ copied from ‘Azure’
  • Set ‘Application ID’ with the ‘Application ID’ copied from ‘Azure’
  • Save the User and once saved, you notice the auto populated ‘Application ID URI’ and ‘Azure AD Object ID’

• Assign a ‘Security Role’
  • ‘Security Role’ must be a Custom Security Role and you cannot assign OOB role.
  • For this exercise, you might want to copy any existing OOB Security Role.

All right! We are all set and now its time to test S2S authentication from your console.

S2S Authentication Code Snippet:

Prerequisites:

• Install ‘ADAL’ and ‘NewtonSoft’ NuGet packages

 Code:

using Microsoft.IdentityModel.Clients.ActiveDirectory;
using Newtonsoft.Json;
using Newtonsoft.Json.Linq;
using System;
private static async Task GetContactsAsync()
{
// Your Dynamics Web API URL
string api = “https://docmigrate.api.crm.dynamics.com/api/data/v9.0/”;

AuthenticationParameters ap = AuthenticationParameters.CreateFromResourceUrlAsync(new Uri(api)).Result;

// Set ‘Application ID’ and ‘Key’ generated from Azure
var creds = new ClientCredential(“e4ac3a78-xxxx-403a-a94c-xxxxxxx”, “hEo/xxxxxxxS+LEiYHpxxxxxxxRe8xg0=”);

AuthenticationContext authContext = new AuthenticationContext(ap.Authority);
var token = authContext.AcquireTokenAsync(ap.Resource, creds).Result.AccessToken;

using (HttpClient httpClient = new HttpClient())
{
httpClient.Timeout = new TimeSpan(0, 2, 0);
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(“Bearer”, token);

// Retrieve Top 1 Contact
HttpResponseMessage response = await httpClient.GetAsync(api + “/contacts?$top=1”);

// Parse the response
if (response.IsSuccessStatusCode)
{
JObject contact = JsonConvert.DeserializeObject<JObject>(await response.Content.ReadAsStringAsync());

var contactName = contact.GetValue(“fullname”);

}
}
}

🙂