Is it possible to authenticate with Azure AD to access Dynamics Web API using Client Credentials Grant

0
votes

I have an web app that has been defined on Azure AD to have permission to a Dynamics 365 (Delegated Permissions).

And I'm using Client Credentials Grant to get Access Token from azure AD. So I'm doing this:

var clientCredential = new ClientCredential(clientId, clientSecret);
var result = authContext.AcquireTokenAsync(dynamicsTenant, clientCredential).Result;

But I keep getting HTTP 401 when I try to access the Web APIs like this:

var response = httpClient.GetAsync(dynamicsTenant + "/api/data/v8.1/contacts").Result;

It works with Resource Owner Password Credentials Grant, like this:

var userCredential = new UserPasswordCredential("crmuser", "crmpwd");
var result = authContext.AcquireTokenAsync(dynamicsTenant, clientId, userCredential).Result;

Is there a possible configuration on Dynamics 365 that could be prohibiting the access?

My aim is to consume the Dynamics (Online) Web API from a (headless) confidential client.

1
authorizationmicrosoft-dynamicsazure-active-directory

1 Answers

1
votes

There are 2 types of permissions that AAD supports, which match up to the two main types of authentication methods.

There are application permissions and delegated permissions, see here.

Application Permissions: Your client application needs to access the web API directly as itself (no user context). This type of permission requires administrator consent and is also not available for native client applications.

Delegated Permissions: Your client application needs to access the web API as the signed-in user, but with access limited by the selected permission. This type of permission can be granted by a user unless the permission is configured as requiring administrator consent.

In order to use your delegated permissions, you can use the Authorization Code Grant Flow.

If you use the Client Credential Flow to get your access token, the expectation is you must request Application Permissions; otherwise, you will get an unauthorized.

Let me know if this helps!