How to Configure Dynamics 365 S2S Authentication

The combination of the Dynamics 365 Web API and Azure Active Directory allows a variety of applications to integrate easily with Dynamics 365 to retrieve and update data.  This can be any type of application such as a web site or a data integration process and is commonly referred to as S2S, server-to-server, authentication.

Calling the Web API using S2S is a two step process. The first step is to authenticate the calling application using Azure Active Directory. The authentication process generates a token which is passed along with the Application Id when the Dynamics Web API is called. The Web API call then searches for a user account for the application. This is a special type of user account called application user.  Providing the application user has the appropriate rights the API is executed. Application user accounts do not consume a license which is an added bonus.

This post covers how to register an S2S application in Azure AD and how to create an application user in Dynamics with a custom security role to give the application specific security rights.

Goto to your Azure Portal and select the Azure Active Directory service and under App Registrations select New application registration.

Give you application registration a name. The sign on URL is required but not used so you can simply set it to localhost.

Once you Application Registration is saved you need to create the secret key that will be used for authentication. Select API Access and then Keys.

To create a password key give it a Description and select its expiry duration. Note: Once you save the password Key Value will be displayed.  You need save this somewhere secure as it cannot be viewed once you navigate away from here.

Another piece of information you will need to authenticate against Azure AD is the Endpoint identifier. To get it select Endpoint and extract the identifier from the Endpoint URLs.  https://login.microsoftonline.com/3e3105H8-06f9-46b6-9f79-3343ad707898/federationmetadata/2007-06/federationmetadata.xml

Azure AD Application Endpoint

Once you have registered the application you need to create the application user in the instance of Dynamics will be accessed by your application.  Goto to security in Dynamics and select the Appplication Users view. Select New and create the application user using the ID of the application you registered in Azure AD. You need to assign the application user a name and email address before you can save it.

Once the application user is saved you need to assign it a custom security role. You cannot assign it an out of the box role.

Once these step are done you can use one of the many ADAL libaries,  Azure Active Directory Authentication Libraries, to authenticate using the password key  and call the Dynamics 365 Web API. I will do an example of  how to use S2S authentciation this in another post.