Application User Authentication

Purpose

In order to prevent issues due to the upcoming Microsoft API limits, we have introduced the ability to use an Application User for authentication to the Click service. Each Dynamics 365 tenant has a request capacity that can only be used by Application users and other non-licensed users and not by users with standard licenses, so this helps preserve the capacity for those standard licenses. This user does not need to be the owner of the Click workflows as it should be when using Username/Password authentication.

In addition, this should allow the use of service accounts that can connect to Dynamics 365 but do not require a Dynamics user license. This should also help prevent issues where all user accounts need to have multi-factor authentication (MFA) enabled, such as for tenants with the Microsoft Security Defaults enabled.

More about the Microsoft API Limits can be found in our article here.

More information about Click requirements around Dynamics 365 license types can be found here.

Please note that Application Users are only available for Dynamics Online Environments. As a best practice, it is recommended that a unique Application User is used for each environment to help isolate issues between environments.

Step 1: Setting up an Application Registration

To make use of this, an application registration needs to be created in Microsoft Entra ID (the new name for Azure Active Directory). To do this:

1. Navigate to https://admin.powerplatform.microsoft.com and sign in, or from your Common Data Service environment web page. 
   
   
2. From the left pane, choose Admin centers > Microsoft Entra ID
   
   
3. You will be taken to the Entra admin center. From the left pane, choose Identity > Applications > App registrations
   
4. In App registrations choose + New registration
5. In the Register an application form provide a name for your app, select Accounts in this organizational directory only, and choose Register. A redirect URI is not needed for this walkthrough and the provided sample code. 
   
   
6. On the Overview page, select API permissions
   
7. Choose + Add a permission 
   
   
8. In the Microsoft APIs tab, choose Dynamics CRM
9. In the Request API permission form, select Delegated permissions, check user_impersonation, and select Add permissions 
   
   
   
10. On the API permissions page below Grant consent, select Grant admin consent for "org-name" and when prompted choose Yes
    
11. Select Overview in the navigation panel, record the Display name, Application ID, and Directory ID values of the app registration. You will provide these later in the code sample. 
    
    
12. In the navigation panel, select Certificates & secrets.

Step 2: Application User authentication with Client Secrets

To setup a client secret to identify your application, follow these steps after selecting Certificates & secrets:

1. Below Client secrets, choose + New client secret to create a secret. Please note that these client secrets will eventually expire and may need to be generated again. The recommended lifetime for these client secrets is 6 months, and their maximum lifetime is 2 years.
   
   
2. In the form, enter a description and select Add. Record the client secret value. You will not be able to view the secret again once you leave the current screen.
   
   

Step 3 (If Applicable): Application User authentication with Certificates

If you need to setup a certificate to identify your application, follow these steps after selecting Certificates & secrets:

1. Below Certificates, choose Upload certificate  to upload a valid certificate. Please note that you will need to use a .PEM certificate specifically in order to use the certificate to authenticate with Click.
   

Step 4: Creating an Application User 

Once the application registration is done, then an application user can be created by following the steps in this Microsoft article.

After the application user is created, then you can find this user in Dynamics to access the  MANAGE ROLES option and assign the System Administrator security role to this application user so that the application user can access the desired organization data. Once the Click solution file has been successfully imported to your environment, you will need to assign the Click Service security role to them.

Step 5: Enabling Application User Authentication

Note: Before proceeding, ensure the Application User is set up correctly in the Power Platform center, as described in "Step 4: Creating an Application User" above. Skipping this may generate a "Service could not authenticate" error within the service credentials page. 

Once the Application registration and Application user are created, then the Application User Authentication can be activated. To do so:

1. Navigate to Settings > ClickDimensions Settings > Service Credentials
2. Select the Update Authentication Method option.
   
3. Select Application User and then click Next
   
4. Enter the details for your Application User.
   
   For the Application ID (Client ID) field, you will need to enter the application ID of the app you registered earlier in the Azure AD. Under the Types of Credentials heading, you can select the tab for either Client Secret or Certificate
   
   For the Client Secret tab, you will need to insert the Client Secret Value from the Client Secret that you generated earlier in the process:
   
   
   For the Certificate tab, you will need to upload the .PEM certificate that you uploaded for your application in Azure AD and the certificate password if you have one set for the certificate.
   

Finally, once your details are filled in, you will need to complete the captcha and click the Next button to confirm your credentials and complete the process. Please note that it may take up to 60 minutes for connectivity to be restored after changing authentication methods.