Reputation: 553
Microsoft Azure access_token not accepted in CRM requests
I am putting together an api integration with Dynamics CRM on premise (v8.1/8.2), on a IFD, using the password grant type.
I am retrieving an access token successfully, however when I then try to call endpoints (e.g /api/data/v8.2/contacts?$select=fullname,contactid ) I get 401 - access denied errors. When I log into the CRM with the user I can successfully view this data and the error occurs on all tested endpoints.
Interestingly this morning I realised the tokens retrieved cannot be base64 decoded - is that correct?
I could use some ideas on what to look at next to resolve the problem. Steps I've taken:
- Triple checking the initial token request
- Triple checked the Service Root URL
- Tried on two CRM/Azure setups
- Tried with my own (node) code and internet examples
- A wide variety of token setups
- Confirmed the user exists in Azure and the CRM
- Confirmed user has sufficient permissions
- Confirmed the application on Azure has all dynamics permissions granted
- Confirmed I am on the same network as Azure and the CRM
It seems apparent that I have a configuration issue somewhere in Azure or the CRM. However no guide or question I can find suggests looking at problems I haven't already checked for and I could really use some input from those who have had to make adjustments in obscure settings ect.
Heres my token request:
var options = {
method: 'POST',
url: 'https://login.microsoftonline.com/<snip>/oauth2/token', //for 'intercity technology' (guid is unique)
headers:
{
'cache-control': 'no-cache',
'content-type': 'multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW' },
formData:
{
grant_type: 'password',
client_id: ‘<snip>’, //aplication id
client_secret: ‘<snip>’, //any key in the keys list
username: ‘<snip>’,
password: ‘<snip>’, // and their password
resource: ‘<snip>’ //application id
}
};
logger.debug(util.inspect(options));
request(options, function (error, response, body) {
...
Heres my current api request test:
var options = {
method: 'GET',
url: organisation_url + '/api/data/v8.2/contacts?$select=fullname,contactid',
headers: {
Authorization: 'Bearer '+token,
Accept: 'application/json',
'OData-MaxVersion':4.0,
'OData-Version': 4.0,
'Content-Type': 'application/json; charset=utf-8',
'Prefer': 'odata.maxpagesize=500',
'Prefer': 'odata.include-annotations=OData.Community.Display.V1.FormattedValue'
}
};
logger.debug(util.inspect(options));
request(options, function (error, response, body) {
...
Upvotes: 0
Views: 177
Answers (1)
Reputation: 2848
You'll need to use a grant type of 'client_credentials' instead of 'password' as the later isn't supported. Something like:
grant_type: 'client_credentials',
client_id: ‘<snip>’, //aplication id
client_secret: ‘<snip>’, //any key in the keys list
resource: ‘<snip>’ //CRM Url
Follow the guide here and all the links to ensure the AAD application is registered correctly and the CRM application user is in place.
Upvotes: 1
Related Questions
- Trying Web API Dynamics 365 CRM - 403-Forbidden error
- Getting back 401 from Dynamics 365 despite being issued valid token
- Dynamics CRM - get access token without Azure
- Error AADSTS90002 on aquire authentication token for Dynamics 365
- 401- Unauthorized authentication using REST API Dynamics CRM with Azure AD
- Dynamics CRM 401 with token provided
- Azure AD Bearer invalid_token error using Postman
- Dynamics CRM 365 - Invalid User Authorization The user authentication passed to the platform is not valid
- Dynamics CRM web api 401 Unauthorized after obtaining Oauth token
- SecurityException while connecting to CRM from Host Machine (The token provider cannot get tokens..... )