Purpose
In order to prevent issues due to the upcoming Microsoft API limits, we have introduced the ability to use an Application User for authentication to the ClickDimensions service. Each Dynamics 365 tenant has a request capacity that can only be used by Application users and other non-licensed users and not by users with standard licenses, so this helps preserve the capacity for those standard licenses. Also, this user should not need to have read-write access or be the owner of the ClickDimensions workflows as it should be when using Username/Password authentication.
In addition, this should allow the use of service accounts that can connect to Dynamics 365 but do not require a CRM user license. This should also help prevent issues where all user accounts need to have multi-factor authentication (MFA) enabled, such as for tenants with the Microsoft Security Defaults enabled.
More about the Microsoft API Limits can be found in our article here.
Please note that Application Users are only available for CRM Online Environments and the same Application User can't be used in more than 1 environment. It needs to be a unique user for each environment.
Setting up an Application Registration
To make use of this, an application registration needs to first be created in Azure Active Directory. To do this:
- Navigate to https://admin.microsoft.com and sign in, or from your Common Data Service environment web page, select the application launcher in the top left corner.
- Choose Admin > Admin centers > Azure Active Directory
- From the left panel, choose Azure Active Directory > App registrations (Preview)
- Choose + New registration
- In the Register an application form provide a name for your app, select Accounts in this organizational directory only, and choose Register. A redirect URI is not needed for this walkthrough and the provided sample code.
- On the Overview page, select API permissions
- Choose + Add a permission
- In the Microsoft APIs tab, choose Dynamics CRM
- In the Request API permission form, select Delegated permissions, check user_impersonation, and select Add permissions
- On the API permissions page below Grant consent, select Grant admin consent for "org-name" and when prompted choose Yes
- Select Overview in the navigation panel, record the Display name, Application ID, and Directory ID values of the app registration. You will provide these later in the code sample.
- In the navigation panel, select Certificates & secrets
- Below Client secrets, choose + New client secret to create a secret
- In the form, enter a description and select Add. Record the secret string. You will not be able to view the secret again once you leave the current screen.
Creating an Application User
Once the application registration is done, then an application user can be created by:
- Navigate to your Common Data Service environment (https://[org].crm.dynamics.com).
- Navigate to Settings > Security > Users.
- Choose Application Users in the view filter.
- Select + New.
- In the Application User form, enter the required information.
- The user name information must not match a user that exists in the Azure Active Directory.
- In the Application ID field, enter the application ID of the app you registered earlier in the Azure AD.
- If the setup is correct, then after selecting SAVE, the Application ID URI and Azure AD Object Id fields will auto-populate with correct values.
- Before exiting the user form, choose MANAGE ROLES and assign a security role to this application user so that the application user can access the desired organization data.
Enabling Application User Authentication
Once the Application registration and Application user are created, then the Application User Authentication can be activated. To do so:
- Navigate to Settings > Click Dimensions Settings > Service Credentials
- Select the "Update Authentication Method" option.
- Select "Application User" and then click "Next"
- Enter the details for your Application User.