Articles in this section

See more

Application User Authentication

Avatar
Curtis Luckey
  • Edited

Purpose

In order to prevent issues due to the upcoming Microsoft API limits, we have introduced the ability to use an Application User for authentication to the ClickDimensions service. Each Dynamics 365 tenant has a request capacity that can only be used by Application users and other non-licensed users and not by users with standard licenses, so this helps preserve the capacity for those standard licenses. This user does not need to be the owner of the ClickDimensions workflows as it should be when using Username/Password authentication.

In addition, this should allow the use of service accounts that can connect to Dynamics 365 but do not require a CRM user license. This should also help prevent issues where all user accounts need to have multi-factor authentication (MFA) enabled, such as for tenants with the Microsoft Security Defaults enabled.

More about the Microsoft API Limits can be found in our article here.

More information about ClickDimensions requirements around Dynamics 365 license types can be found here.

Please note that Application Users are only available for CRM Online Environments. As a best practice, it is recommended that a unique Application User is used for each environment to help isolate issues between environments.

Setting up an Application Registration

To make use of this, an application registration needs to first be created in Azure Active Directory. To do this:

  1. Navigate to https://admin.powerplatform.microsoft.com and sign in, or from your Common Data Service environment web page. 
  2. Choose Admin centers > Azure Active Directory 
  3. From the left panel, choose Azure Active Directory > App registrations
  4. Choose + New registration 
  5. In the Register an application form provide a name for your app, select Accounts in this organizational directory only, and choose Register. A redirect URI is not needed for this walkthrough and the provided sample code. 
    register_an_app.png

  6. On the Overview page, select API permissions
    blobid1.png
  7. Choose + Add a permission 
  8. In the Microsoft APIs tab, choose Dynamics CRM 
  9. In the Request API permission form, select Delegated permissions, check user_impersonation, and select Add permissions 
    blobid2.png


  10. On the API permissions page below Grant consent, select Grant admin consent for "org-name" and when prompted choose Yes
    blobid3.png
  11. Select Overview in the navigation panel, record the Display name, Application ID, and Directory ID values of the app registration. You will provide these later in the code sample. 
  12. In the navigation panel, select Certificates & secrets.

Application User authentication with Client Secrets

To setup a client secret to identify your application, follow these steps after selecting Certificates & secrets:

  1. Below Client secrets, choose + New client secret to create a secret. Please note that these client secrets will eventually expire and may need to be generated again. The recommended lifetime for these client secrets is 6 months, and their maximum lifetime is 2 years.
  2. In the form, enter a description and select Add. Record the client secret value. You will not be able to view the secret again once you leave the current screen.
    Screenshot_2021-06-17_at_09.05.05.png

Application User authentication with Certificates (Coming Soon)

To setup a certificate to identify your application, follow these steps after selecting Certificates & secrets:

  1. Below Certificates, choose Upload certificate  to upload a valid certificate. Please note that you will need to use a .PEM certificate specifically in order to use the certificate to authenticate with ClickDimensions.Application_certificates.png

Creating an Application User 

Once the application registration is done, then an application user can be created by following the steps in this Microsoft article.

After the application user is created, then you can find this user in CRM to access the  MANAGE ROLES option and assign the ClickDimensions Service security role and/or the System Administrator security role to this application user so that the application user can access the desired organization data. 

Enabling Application User Authentication

Once the Application registration and Application user are created, then the Application User Authentication can be activated. To do so:

    1. Navigate to Settings > ClickDimensions Settings > Service Credentials
    2. Select the Update Authentication Method option.
      update_authentication.png
    3. Select Application User and then click Next
      Service_credentials_-_select_app_user.png
    4. Enter the details for your Application User.
      Service_Credentials3.png
      For the Application ID (Client ID) field, you will need to enter the application ID of the app you registered earlier in the Azure AD. Under the Types of Credentials heading, you can select the tab for either Client Secret or Certificate
      For the Client Secret tab, you will need to insert the Client Secret Value from the Client Secret that you generated earlier in the process:

      copy-secret.png
      For the Certificate tab, you will need to upload the .PEM certificate that you uploaded for your application in Azure AD and the certificate password if you have one set for the certificate.

Finally, once your details are filled in, you will need to complete the captcha and click the Next button to confirm your credentials and complete the process. Please note that it may take up to 60 minutes for connectivity to be restored after changing authentication methods.

 

Was this article helpful?
7 out of 10 found this helpful

Related articles