Application User Authentication

Purpose

The best method to authenticate to the Click service is by using an Application User. The Application User authentication method ensures compliance with the Microsoft multifactor authentication (MFA) requirement and also prevents any issues with Microsoft API limits. Each Dynamics 365 tenant has a request capacity that can only be used by Application users and other non-licensed users and not by users with standard licenses, so this helps preserve the capacity for those standard licenses. This user does not need to be the owner of the Click workflows as it should be when using Username/Password authentication.

In addition, this should allow the use of service accounts that can connect to Dynamics 365 but do not require a Dynamics user license. This should also help prevent issues where all user accounts need to have multi-factor authentication (MFA) enabled, such as for tenants with the Microsoft Security Defaults enabled.

More about the Microsoft API Limits can be found in our article here.

More information about Click requirements around Dynamics 365 license types can be found here.

Please note that Application Users are only available for Dynamics Online Environments. As a best practice, it is recommended that a unique Application User is used for each environment to help isolate issues between environments.

Step 1: Setting up an Application Registration

To make use of this, an application registration needs to be created in Microsoft Entra ID (the new name for Azure Active Directory). To do this:

1. Navigate to https://admin.powerplatform.microsoft.com and sign in, or from your Common Data Service environment web page. 
   
   
2. From the left pane, choose Admin centers > Microsoft Entra ID
   
   
3. You will be taken to the Entra admin center. From the left pane, choose Identity > Applications > App registrations
   
4. In App registrations choose + New registration
5. In the Register an application form provide a name for your app, select Accounts in this organizational directory only, and choose Register. A redirect URI is not needed for this walkthrough and the provided sample code. 
   
   
6. On the Overview page, select API permissions
   
7. Choose + Add a permission 
   
   
8. In the Microsoft APIs tab, choose Dynamics CRM.
   
    NOTE: Some users may not see the "Dynamics CRM" option in the "Request API Permissions" screen. This is OK - if you do not see the "Dynamics CRM" option, proceed directly to Step 3.
9. In the Request API permission form, select Delegated permissions, check user_impersonation, and select Add permissions 
   
   
   
10. On the API permissions page below Grant consent, select Grant admin consent for "org-name" and when prompted choose Yes
    
11. Select Overview in the navigation panel, record the Display name, Application ID, and Directory ID values of the app registration. You will provide these later in the code sample. 
    
    
12. In the navigation panel, select Certificates & secrets.

Step 2: Application User authentication with Client Secrets

To setup a client secret to identify your application, follow these steps after selecting Certificates & secrets:

1. Below Client secrets, choose + New client secret to create a secret. Please note that these client secrets will eventually expire and may need to be generated again. The recommended lifetime for these client secrets is 6 months, and their maximum lifetime is 2 years.
   
   
2. In the form, enter a description and select Add. Record the client secret value. You will not be able to view the secret again once you leave the current screen.
   
   
3. If you require a certificate to identify your application, proceed to Step 3. If you do not require a certificate to identify your application, skip Step 3 and proceed directly to Step 4.

Step 3 (If Applicable): Application User authentication with Certificates

If you need to setup a certificate to identify your application, follow these steps after selecting Certificates & secrets:

1. Below Certificates, choose Upload certificate  to upload a valid certificate. Please note that you will need to use a .PEM certificate specifically in order to use the certificate to authenticate with Click.
   
2. After uploading your certificate, proceed to Step 4 below.

Step 4: Creating an Application User 

Once the application registration is done, then an application user can be created by following the steps in this Microsoft article.

After the application user is created, then you can find this user in Dynamics to access the  MANAGE ROLES option and assign the System Administrator security role to this application user so that the application user can access the desired organization data. Once the Click solution file has been successfully imported to your environment, you will need to assign the Click Service security role to them before proceeding to Step 5.

Step 5: Enabling Application User Authentication

Note: Before proceeding, ensure the Application User is set up correctly in the Power Platform center, as described in "Step 4: Creating an Application User" above. Skipping this may generate a "Service could not authenticate" error within the service credentials page. 

Once the Application registration and Application user are created, then the Application User Authentication can be activated. To do so:

1. Navigate to Settings > ClickDimensions Settings > Service Credentials
2. Select the Update Authentication Method option.
   
3. Select Application User and then click Next
   
4. Enter the details for your Application User.
   
   For the Application ID (Client ID) field, you will need to enter the application ID of the app you registered earlier in the Azure AD. Under the Types of Credentials heading, you can select the tab for either Client Secret or Certificate
   
   For the Client Secret tab, you will need to insert the Client Secret Value from the Client Secret that you generated earlier in the process:
   
   
   For the Certificate tab, you will need to upload the .PEM certificate that you uploaded for your application in Azure AD and the certificate password if you have one set for the certificate.
   

Finally, once your details are filled in, you will need to complete the captcha and click the Next button to confirm your credentials and complete the process. Please note that it may take up to 60 minutes for connectivity to be restored after changing authentication methods.

FAQ

Q: What does it mean when the "Grant admin consent" button is greyed out?

A: The Global Administator of your tenant needs to grant admin consent on the API permissions section. If you do not know who this is, please contact your IT Team or Admin.

Q: I went through all the steps but I recieved a "Could not update the authentication method. The Client Secret is invalid. Please update the Client Secret and try again or contact your system administrator." error when trying to update the authentication method. What does this mean? 

A. This message usually means that either the Client Secret or the Application User configuration is invalid due to a missing or incorrect setup step. To resolve this:

• Ensure you're using the correct Client Secret Value from the application, not the Client Secret ID, when updating the Service Credentials.
  
  
• Confirm that you've followed the setup guide exactly. Missing Step 4: Creating an Application User is a common cause of this error.
  
  
• Review all configuration steps to ensure nothing was skipped, misconfigured, or inaccurately pasted.