Switching to OAuth in Dynamics 365 CDS/CRM/CE/Dataverse connections

27 July 2021
KingswaySoft Team

Switching your Authentication Type to OAuth in Dynamics 365 CDS/CRM/CE/Dataverse connections

Our Dynamics 365 toolkit started providing OAuth support over 3 years ago in our v10.0 release. While majority of our clients have switched their connections to use OAuth for the CDS and Dynamics CRM components, we have also seen many clients who have not switched over yet due to various reasons. In this blog post, we will quickly highlight why you should make the move by switching your connections to OAuth and then we will demonstrate how you could properly set up an OAuth connection for your CDS or CRM components.

First of all, let's have a quick review why you should switch to the OAuth authentication type. The following are some of the reasons:

  • OAuth is a modern application authentication and authorization infrastructure which provides some better security in protecting your data when it comes to data integration projects in processing or consuming your Dynamics 365, CDS or Dataverse data.
  • Online Federation has been deprecated by Microsoft (including the regional discovery service), which used to be the option that you would use to connect to your Dynamics 365 Online or CDS environment. As a result of the deprecation, the only appropriate authentication option for Dynamics 365 Customer Engagement online, CDS and Dataverse would be the OAuth option.
  • When setting up an OAuth connection properly, it can support a Dynamics 365 or CDS instance that has the Multi-Factor Authentication (MFA) enabled. MFA is a commonly used application security mechanism to better protect your application data. In working with a MFA environment, you would typically be utilizing the Certificate or Client Credentials OAuth type. Client Credentials is the option that we mainly discuss in this blog post.

However, setting up an OAuth connection is quite an involved process, switching to OAuth authentication involves a number of steps, which can be a bit confusing in the beginning if you have not worked on the concept before. In this post, we will walk you through the process with some great details to help you understand what is required and how OAuth works for our CDS/CRM connections. We hope this complements our online documentation page in its OAuth section, we hope this provides you some real-world configurations on how it can be properly achieved.

Now, let's get started.

To use OAuth, you need to make sure you have registered an Azure App, and you need to get the Client App ID and Client Secret from the Azure Portal.  

If you do not already have an Azure App, then to create a new Azure App please follow these steps (Note, if you do already have an Azure App, then after step 1, please skip to step 4):

  1. Log in to Azure Portal and navigate to Azure Active Directory in the same tenant as your Dynamics 365 instance.

  1. In the left pane, click on “App registrations”, then select “New registration”.

  1. On the Registration page, please ensure that you enter a Redirect URI. For the Redirect URI, you can supply any valid https URL.

  1. After you click Register, you should now see your app in the App registrations page. This is where you get your App ID.  Click on your App to continue on to adding permissions.

  1. In the left Navigation Pane, click on “API Permissions”. If you do not see a permission for Dynamics, click on “Add a permission” and select “Dynamics CRM” from the window that opens.

  1. Next, click on “Grant admin consent” to see the status change to Granted for the permissions. Please note that this step can also be done from our connection manager by clicking on the “Authorize” button there. If you do it here in the UI, then you will not need to click “Authorize” in our connection manager.

  1. To create your Client Secret, go to “Certifications & secrets” in the left Navigation Pane, then click on “New client secret”. Add a “Description” and “Expires” timeframe, then click “Add”. 

Please note that Client Secret is available to view and copy only at the time when it is created. If you forget to copy it at time of creation, there is no way to reveal the client secret. In such cases, all you can do is to create a new client secret and you may remove the unrecoverable client secret if you know it is not used elsewhere.

Your App is now created and registered with the required permissions and Client Secret.

Note, in the Connection Manager, if you are choosing “OAuth Type” = “Client Credentials (server to server authentication)”, then you will also need to have an Application User created in your CRM Environment.  To create an Application User:

  1. Log in to your CRM instance.
  2. Click on the Settings icon in the upper right and select “Advanced Settings”

  3. Click on the “Settings” down arrow, and select “Security”, and then select “Users” on the page that opens.

  4. Once in the system user view, you would want to change the user type to “Application Users”.

  5. Now you will be able to click the New button to create a new user.



    Make sure that the selected form is "User: Application User" as shown below, then fill out the form to create an Application User.  The Application ID should be the Client App Id that you got when you registered the App.

  6. This new Application now needs a role. Click on the “Manage Roles” tab.

  7. What role(s) you select depend on what level of access the user should have. For example, selecting “System Administrator” will give full access, but only may not be appropriate for your user.  Select an appropriate role and click “OK”.

Your Application User is now created and set up.  You do not need any of the information from the above User forms for the KingswaySoft connection manager, but if you did not have the App User created, you would encounter errors when using the connection.

Now we are ready to create the connection in SSIS

Once you have completed the above steps, you may now head to your SSIS development environment to complete the connection setup. If it is a package with existing connection, you may simply switch your CDS/CRM connection to use OAuth. Or otherwise if your package does not currently have any connection, you may simply create one. As you can see from the screenshot below, we are using all the information gathered above to fill out the connection properties for the OAuth connection.

Closing Notes

In this blog post, we only covered the Client Credentials option. However, the OAuth authentication in the CDS/CRM connection manager supports additional options which we didn't cover this blog post, they can be useful in other scenarios.

  • Password: The Password OAuth Type uses username and password along with the Client Id and secret.
  • Client Credentials: This is what we have discussed in this blog post.
  • Certificate: This uses a certificate key pair, out of which the public key would be uploaded to your Azure AD App, and the private key is installed on the machine or your server to generate a thumbprint to be used in the connection manager.
  • Interactive login (since v21.1): This option should be used only at design time to test, which uses interactive UI based login.
In short, OAuth is a recommended approach to work with Dynamics 365 CDS/CRM/Dataverse authentication. You could easily switch to it by following the above steps without losing any functionalities, you are better protected with the new authentication options.

Archive

Tags