Authenticate from MS Dynamics 365 to Azure Service Bus using Azure AD

Question

I have a MS Dynamics 365 installation. I also have an Azure subscription with a Service Bus. I have an Azure AD tenant that they both use.

I am wondering how I can authenticate from MSD365 to Azure Service Bus in the best possible way? Can I do this with Azure AD in this setup?

Upon researching, I can see that another option is the use of Shared Access Signatures. However, it doesn't appear to be the recommended way by Microsoft, and I have a funny feeling the security team in my place of work would not fancy it either.

The calls out to Azure Service Bus could be as part of using MSD365, or it could be as part of a workflow.

Any help would be appreciated.

UPDATE

Removed mention of a different tenant as it wasn't relevant.

Answer 1

I managed to get this working using Azure AD.

Steps as follows:

• Create a group in Azure AD and give access to send to the service bus queue

• Create an app registration in Azure AD and add this app to the group

• Create a private key and public certificate

• Upload the public key to the app registration

• In a console application (for testing), run the following code, substituting in the relevant values in the variables:

   string tenantId = "xxx";
   string clientId = "xxx";
   string clientCertPath = "mykey.pem";
   string queueName = "xxx";
   string fullyQualifiedNamespace = "xxx.servicebus.windows.net";
  
   TokenCredential credential = new ClientCertificateCredential(tenantId, clientId, clientCertPath);
   var client = new ServiceBusClient(fullyQualifiedNamespace, credential);
  
   ServiceBusSender sender = client.CreateSender(queueName);
  
   ServiceBusMessage busMessage = new ServiceBusMessage("test");
  
   sender.SendMessageAsync(busMessage).Wait();
  

This appears to be a more secure way to integrate, rather than using Shared Access Signatures (SAS).

Answer 2

• Since Azure Service Bus only offers connecting/communicating with other applications securely only through SAS connection strings only, there is no other method available to allow MS Dynamics 365 to send or listen messages from queues to or from Azure Service Bus. Though, you can enhance the security of your integration with MS Dynamics 365 in another tenant though as below: -

a) You can configure a private service endpoint in your Azure Service Bus subscription for the Queue namespace that you have configured to listen/send messages from/to MS Dynamics 365 in another tenant. Through this, you can configure the queue to use private DNS records also by integrating with your private DNS zone in the same tenant or another tenant where your actual organization’s AD resides. You can peer your virtual networks from across the tenants to ensure that connection happens over the private network only.

b) Also, you can configure specific virtual networks to connect in ‘Public Access’ option and restrict its connection to specific IP address ranges in other tenant for communication.

c) Also, you can configure the Azure Service Bus queue in the same tenant which hosts your organization’s AD to apply role-based access assignment to specific users, groups, and applications as well as service principals for the specific permissions in that role related to that queue.

These are the above methods through which you can enhance the security of your integration with Azure Service Bus.

Please find the below links for reference regarding the integration of Microsoft Dynamics 365 to Azure Service Bus: -

https://learn.microsoft.com/en-us/dynamics365/customerengagement/on-premises/developer/azure-integration?view=op-9-1

https://powermaverick.dev/2019/03/10/azure-ad-authentication-with-dynamics-crm/