In modern application development, secure API access is paramount—especially when working with systems like Dynamics 365, which hold sensitive business data. To meet these security needs, Microsoft has adopted OAuth 2.0, the industry-standard protocol for authorization.
When you want to access Dynamics 365 APIs—whether it’s the Dataverse Web API or other Dynamics 365 services—you’ll need to authenticate using OAuth 2.0 with Microsoft Entra ID (formerly Azure AD).
This article will guide you through the concepts, setup, and practical steps to implement OAuth 2.0 for accessing Dynamics 365 APIs securely and effectively.
What is OAuth 2.0?
OAuth 2.0 is an open standard protocol for delegated access. It allows applications to access resources on behalf of a user or service, without needing to expose the user’s credentials.
Key Components:
- Resource Owner: The user or system owning the data (e.g., Dynamics 365 user).
- Client: The app requesting access (e.g., a custom web app).
- Authorization Server: Microsoft Entra ID, which issues tokens.
- Resource Server: Dynamics 365 APIs, which accept tokens.
Dynamics 365 + OAuth 2.0
Dynamics 365 (built on Dataverse) supports OAuth 2.0 for authentication to its Web API. To access the API, you’ll need to:
- Register your application in Microsoft Entra ID.
- Acquire an access token using OAuth 2.0.
- Include the token in your HTTP request headers when calling the API.
The access token confirms the caller’s identity and permissions.
Application Scenarios
Here are common use cases for implementing OAuth with Dynamics:
- Backend app-to-app integration (using client credentials)
- Single Page Applications (SPA) accessing the Web API
- Mobile apps or native desktop apps
- Automated workflows and Power Platform connectors
Step-by-Step: Implementing OAuth 2.0 for Dynamics 365 APIs
Step 1: Register an App in Microsoft Entra ID
- Go to Azure Portal.
- Navigate to Microsoft Entra ID → App registrations.
- Click “New registration”.
- Enter a name (e.g., Dynamics365 API Client).
- Choose:
- Accounts in this organizational directory only (if internal use)
- Set a Redirect URI (e.g., for SPA or mobile app, if needed)
- Click Register.
Now you’ll receive:
- Client ID (Application ID)
- Directory (Tenant) ID
Step 2: Create a Client Secret or Certificate
For confidential clients (e.g., backend apps):
- Go to your app registration.
- Click Certificates & secrets.
- Create a new client secret and copy the value.
🔐 This secret acts like a password—store it securely.
Step 3: Assign API Permissions
- Go to API permissions → Add a permission.
- Choose Dynamics 365 or Common Data Service.
- Add:
- Delegated permissions (if calling on behalf of a user)
- Application permissions (for background apps)
⚠️ Application permissions require admin consent.
Step 4: Grant Admin Consent (if needed)
Click “Grant admin consent” in the portal to finalize access.
🔄 Authentication Flow
The authentication flow varies by scenario. Here’s an example using the client credentials flow for server-to-server integration.
Token Request (POST)
POST https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id={client_id}
&client_secret={client_secret}
&scope=https://yourorg.crm.dynamics.com/.default
&grant_type=client_credentials
Response (JSON)
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1...",
"expires_in": 3599,
"token_type": "Bearer"
}
Making API Requests
Once you have the access token, make calls to Dynamics 365 Web API like this:
Example: Retrieve Accounts
GET https://yourorg.crm.dynamics.com/api/data/v9.2/accounts
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOi...
OData-MaxVersion: 4.0
OData-Version: 4.0
Accept: application/json
Content-Type: application/json
You can use tools like Postman, curl, or write scripts in languages like C#, Python, or JavaScript.
Code Sample (Python)
import requests
tenant_id = 'your-tenant-id'
client_id = 'your-client-id'
client_secret = 'your-client-secret'
resource = 'https://yourorg.crm.dynamics.com/'
# Token URL
token_url = f'https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token'
# Get token
data = {
'client_id': client_id,
'client_secret': client_secret,
'scope': resource + '/.default',
'grant_type': 'client_credentials'
}
response = requests.post(token_url, data=data)
access_token = response.json().get('access_token')
# Call Dynamics API
headers = {
'Authorization': f'Bearer {access_token}',
'OData-Version': '4.0',
'Accept': 'application/json'
}
api_url = resource + 'api/data/v9.2/accounts'
result = requests.get(api_url, headers=headers)
print(result.json())
Supported OAuth Flows
| Flow | Use Case |
|---|---|
| Authorization Code | Web apps with user login |
| Client Credentials | App-to-app (daemon/service apps) |
| Device Code | CLI or devices without browsers |
| Implicit Grant | Deprecated – replaced by PKCE |
| On-Behalf-Of | APIs calling other APIs with user context |
Scopes and Endpoints
Use the correct scope:
https://yourorg.crm.dynamics.com/.default
Token endpoint (v2.0):
https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
Best Practices
✅ Use Microsoft Identity Platform v2.0
This supports modern OpenID Connect + OAuth 2.0 standards, PKCE, and multi-tenant apps.
✅ Store Secrets Securely
Use Azure Key Vault or environment variables—never hardcode secrets.
✅ Use Application Permissions Cautiously
These give full access to Dynamics data—limit access via security roles.
✅ Handle Token Expiration
Access tokens typically expire in 1 hour. Refresh or reauthenticate as needed.
✅ Apply Principle of Least Privilege
Only request the minimal scopes and permissions required for the task.
✅ Monitor API Usage
Use the Power Platform Admin Center to monitor API calls and quota usage.
Troubleshooting Tips
| Error | Meaning | Fix |
|---|---|---|
invalid_client | Bad client secret | Verify secret and ID |
invalid_scope | Wrong scope | Use https://org.crm.dynamics.com/.default |
insufficient privileges | Permission missing | Add and consent to API permissions |
401 Unauthorized | Token issue | Check headers and token expiry |
Extending Further
- Secure with Conditional Access: Apply policies for accessing APIs via Entra ID.
- Automate with PowerShell or Logic Apps: Use OAuth tokens in custom automations.
- Use Microsoft Graph: Combine Dynamics and user metadata for richer integrations.