Articles in this section

See more

Application User Authentication

Avatar
Curtis Luckey
  • Edited

Purpose

In order to prevent issues due to the upcoming Microsoft API limits, we have introduced the ability to use an Application User for authentication to the ClickDimensions service. Each Dynamics 365 tenant has a request capacity that can only be used by Application users and other non-licensed users and not by users with standard licenses, so this helps preserve the capacity for those standard licenses. This user also needs read-write access, but it does not need to be the owner of the ClickDimensions workflows as it should be when using Username/Password authentication.

In addition, this should allow the use of service accounts that can connect to Dynamics 365 but do not require a CRM user license. This should also help prevent issues where all user accounts need to have multi-factor authentication (MFA) enabled, such as for tenants with the Microsoft Security Defaults enabled.

More about the Microsoft API Limits can be found in our article here.

More information about ClickDimensions requirements around Dynamics 365 license types can be found here.

Please note that Application Users are only available for CRM Online Environments. As a best practice, it is recommended that a unique Application User is used for each environment to help isolate issues between environments.

Setting up an Application Registration

To make use of this, an application registration needs to first be created in Azure Active Directory. To do this:

  1. Navigate to https://admin.microsoft.com and sign in, or from your Common Data Service environment web page, select the application launcher in the top left corner. 
  2. Choose Admin > Admin centers > Azure Active Directory 
  3. From the left panel, choose Azure Active Directory > App registrations (Preview) 
  4. Choose + New registration 
  5. In the Register an application form provide a name for your app, select Accounts in this organizational directory only, and choose Register. A redirect URI is not needed for this walkthrough and the provided sample code. 
    blobid0.png


  6. On the Overview page, select API permissions
    blobid1.png
  7. Choose + Add a permission 
  8. In the Microsoft APIs tab, choose Dynamics CRM 
  9. In the Request API permission form, select Delegated permissions, check user_impersonation, and select Add permissions 
    blobid2.png


  10. On the API permissions page below Grant consent, select Grant admin consent for "org-name" and when prompted choose Yes
    blobid3.png
  11. Select Overview in the navigation panel, record the Display name, Application ID, and Directory ID values of the app registration. You will provide these later in the code sample. 
  12. In the navigation panel, select Certificates & secrets.
  13. Below Client secrets, choose + New client secret to create a secret. Please note that these client secrets will eventually expire and may need to be generated again. The recommended lifetime for these client secrets is 6 months, and their maximum lifetime is 2 years.
  14. In the form, enter a description and select Add. Record the client secret value. You will not be able to view the secret again once you leave the current screen.
    Screenshot_2021-06-17_at_09.05.05.png

Creating an Application User 

Once the application registration is done, then an application user can be created by:

  1. Navigate to your Common Data Service environment (https://[org].crm.dynamics.com). 
  2. Navigate to Settings > Security > Users.
  3. Choose Application Users in the view filter. 
  4. Select + New. 
  5. In the Application User form, enter the required information.
      1. The user name information must not match a user that exists in the Azure Active Directory. 
      2. In the Application ID field, enter the application ID of the app you registered earlier in the Azure AD.
    blobid4.png
  6. If the setup is correct, then after selecting SAVE, the Application ID URI and Azure AD Object Id fields will auto-populate with correct values. 
    blobid5.png


  7. Before exiting the user form, choose MANAGE ROLES and assign a security role to this application user so that the application user can access the desired organization data. 
  8.  

 

Enabling Application User Authentication

Once the Application registration and Application user are created, then the Application User Authentication can be activated. To do so:

    1. Navigate to Settings > Click Dimensions Settings > Service Credentials
    2. Select the "Update Authentication Method" option.
      Update_authentication_method.png
    3. Select "Application User" and then click "Next"
      select_app_user.png
    4. Enter the details for your Application User.
      Application_User_window.png
      For the Client Secret field, you will need to insert the Client Secret Value from the Client Secret that you generated earlier in the process:

      copy-secret.png

Finally, once your details are filled in, you will need to click the 'Update Authentication Method' button to complete the process. Please note that it may take up to 60 minutes for connectivity to be restored after changing authentication methods.

 

Was this article helpful?
5 out of 7 found this helpful

Related articles