I have a scenario is one where the user has signed into CRM and triggers some functionality that calls a third party API to retrieve data that is not in CRM.
This API is a registered application in the Same Azure Active Directory as where the CRM resides. CRM single sign on is enabled.
I am trying to find an example of C# code which retrieves the authorization code via a CRM plugin. So far, I have managed to retrieve the token using a client secret as described in this article:
Retrieving token without the ADAL client library
I have implemented a basic call with the parameters defined in this article:
Requesting an Authorization code
But I need to pass the user session to make it work. It currently throws an error
A silent sign-in request was sent but no user is signed in. The cookies used to represent the user's session were not sent in the request to Azure AD. This can happen if the user is using Internet Explorer or Edge, and the web app sending the silent sign-in request is in different IE security zone than the Azure AD endpoint (login.microsoftonline.com).
Any help appreciated.
AFAIK, it is not suitable to interact with Azure AD using the Oauth code grant flow in the Microsoft Dynamics 365 plug-in since it required users interaction. And it is not able to send the session in the Microsoft Dynamics 365 plug-in to authenticate using ADAL library.
If you only want to access the Microsoft Dynamics 365 organization service in the CRM plug-in, there is no need to use the ADAL library to authenticate again.
It is only required that plug-in code create an instance of the service through the ServiceProvider.GetService method.
// Obtain the organization service reference.
IOrganizationServiceFactory serviceFactory = (IOrganizationServiceFactory)serviceProvider.GetService(typeof(IOrganizationServiceFactory));
IOrganizationService service = serviceFactory.CreateOrganizationService(context.UserId);
More detail about context of Microsoft Dynamics 365 Plug-in development, please refer the link below:
Understand the data context passed to a plug-in
Related
Is it possible to authenticate to Sharepoint Online REST API with Azure AD application v2.0 authentication? If yes, which scope should I use for requesting my permissions. Now (for MS Graph API usage) I request "https://graph.microsoft.com/.default" as scope but didn't find any alternative to this for Sharepoint Online REST API.
I already registered an application on apps.dev.miscrosoft.com, this application is available on portal.azure.com. There I have added required permissions for Sharepoint Online.
Yes you can. To do this first you need to get a new access token using a regular refresh token you got for the graph already:
POST https://login.microsoftonline.com/{{tenantName}}/oauth2/v2.0/token
Except this time pass the following for the scope header:
https://{{tenantName}}.sharepoint.com/Sites.Read.All
Your application will need to already be consented for this scope etc...
The response will give you can access token that can be used again SPO APIs.
It should be the same authentication with Azure AD, the scope you are looking for should be the Site scopes.
https://learn.microsoft.com/en-us/graph/permissions-reference?view=graph-rest-beta#sites-permissions
Do not have SharePoint sites to check but if permission are granted to the application you should be able to query SharePoint site using Azure Graph APIs.
https://learn.microsoft.com/en-us/graph/api/resources/sharepoint?view=graph-rest-beta
Overview
https://learn.microsoft.com/en-us/graph/sharepoint-concept-overview
My requirement is described below.
User uploads the document through web-app and document saves in to shared location.
Application service (cron job or server code) , selects the documents and extracts the details.
Cron job send the details to SharePoint rest api which is protected by azure AD. (Oauth protocol)
I have a valid AZURE client ID and Secret ID which has application level access permission. I got access token by using AZURE client ID and Secret ID from AZURE AD with help of simple JAVA code but am getting following error when i call sharepoint online REST service using Oauth access token.
Error : {"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."}
What does it mean? Can anyone help me resolve the issue ?
As SharePoint Online has strict safety standards, authentication for working with REST API consists of three steps:
1.Get the security token from Microsoft authentication portal.
2.Get the cookies from the SharePoint Online server.
3.Get the signature for requests to the SharePoint Online server.
More information is here:
http://www.wave-access.com/public_en/blog/2015/june/23/java-service-integration-with-sharepoint-online-via-rest-api.aspx
Access Office 365 from JAVA, we can use Office 365 SDKs for Java.
https://github.com/OfficeDev/Office-365-SDK-for-Java
Is it possible to flow the user credentials from a CRM plug-in to a web API hosted in Azure?
I'm working on a project where a Dynamics CRM plug-in will make a call to a custom ASP.Net Core 2.0 Web API hosted in the same Azure tenant.
I have no Dynamics CRM experience; we have a team member who has done a lot of CRM integration, but he's always used a service account to connect to the other application.
I'm trying to avoid that.
Ideally, this web API would perform some work using the credentials of the CRM user, since the user's credentials will be valid in both CRM and the web API.
I would really like to have the user's credentials (such as email) come from a trusted authority and not just passed by the caller. I already have code that pulls the user's email (for example) from the user's Claims (from another part of the project).
In my perfect scenario, the plug-in code would pass the user's OpenID Connect to the web API; but I've found nothing that indicates that CRM supports OpenID Connect.
I have seen articles that talk about calling CRM from an external application using Oauth, but nothing that shows CRM calling a service with any kind of token-based authentication.
A fallback would be to use an OAuth bearer token, and have the plug-in pass the user's information to the web API.
Does anyone have any information on how to flow the CRM user's credentials to a web API call, or acquiring a bearer token to pass to a web API?
Thanks
I need to integrate my web application (multi-tenant SaaS product) into my users' Dynamics CRM so it can pull their data.
I have learnt that Azure Active Directory apps can take care of such integrations (OAuth) but I cannot figure out how my users can grant my app access to their Dynamics CRM data.
Apparently, every user of mine should create an Azure AD app (with access to their Dynamics CRM account) and then my Azure AD app should be authorised to make requests on behalf of their AD app.
I have no idea how I can make this process work.
Any advice would be much appreciated.
For Dynamics CRM versions 2016 and 365, data can be accessed via the Web API.
When using the Web API by sending, for example, an HTTP GET request, a request header must be present in the format: { 'Authorization': 'Bearer' + token } where token is an OAuth 2 Bearer Token.
To obtain a token, I'd suggest using the Azure AD authentication Library (ADAL).
To authenticate with Dynamics CRM via ADAL, you'll have to register your web application under Azure Active Directory along with Dynamics CRM. Registering your app will give you a client ID which is required by the OAuth 2.0 authorisation flow. This post is very useful.
If your app will have administrative privilege, then it will have access to other user's data. There are several things you should make sure of when configuring OAuth, check this:
http://phuocle.net/crm/dynamics-365-online-s2s-authentication-full-explain.aspx
so to highlight the most important things from my perspective:
you should have a special user for handling that
this user should not have any license assigned - so you have to sign a license for him, a take it back after done configuring him
user should have a custom role (can be role copied from System Administrator)
I have created WebApi and hosted it to Azure server, now I want to get data from Microsoft Dynamics CRM into this API with logged in Office 365 users credentials.
So when I call the WebApi from office 365 it takes Office 365 logged in user's credentials and get data from CRM of same user.
For getting Dynamics 365 data you need the access token which as you mentioned is granted by office 365 OAuth server. Assuming that you already registered your app in Azure active directory and gained your client Id and secret key, you need also give permission to your app to access Dynamics 365 (using Required permissions in Setting panel of app registration).
After setting up your app in Azure AD, then you can redirect your user to office 365 login page (OAuth 2.0 Authorization Endpoint) for getting the access token. there are different methods to do it. In my experience I used getting token using Authentication code, but generally you need to compose a url to login page with following param:
'https://login.windows.net/' + tenant + '/oauth2/authorize?response_type=code&client_id=<client_id>&redirect_uri=<redirect_uri>&state=<state>&resource=<resource>'
In case of Authentication code it returns a code which you can use to acquire token. Microsoft developed some drivers which does it for you. If you use node.js you can check out adal, for sure they have something similar for dot.net.
After getting your access token, you just need to call your Dynamics 365 (resource) to get the data.