If you want to call Dynamics 365 over Web API you have to enable binding between Dynamics 365 and Azure AD Application.
In order to enable Dynamics 365 in Azure Logic App using Azure AD Authentication (OAuth) you need to create Azure AD Application (Application Identity) and grant sufficient permissions.
There is already great guideline .
Create Azure AD Application
How to create Azure AD Application you can find here. Let’s create the Application called MyDynamicsApp for reference.
You need to create a Key (secret). Don’t forget to copy the secret because it will appear only once you have created results you will not be able to obtain the value again regardless permission.
Once you have created Azure AD Application you need to grant permissions to Dynamics 365 API by navigating to your recently created Azure AD Application and Required Permissions then click Add button and select Dynamics 365 from the API list.
Under DELEGATED PERMISSIONS select permission and Save.
To avoid displaying the consent form while browsing to your Dynamics 365 instance you can click Grant Permissions button which is visible when you navigate to Required Permissions.
Create CRM Application User
In order to enable systemuser in Dynamics 365 navigate to Settings -> Security -> Users and switch the view to Application Users. Either select already existing user or create a new one. Switch form view to Application User.
Please be aware there is no need to have Office 365 user and a Dynamics 365 licence applied - you will have Application user with your Azure AD Application threated as an application identity.
Now you are ready to enable application user with Azure Application Identity. Enter an Application ID of your MyDynamicsApp Application ID and save.
Once you entered an Azure Application ID to Dynamics 365 SystemUser form you should be able to connect over WebAPI.
In case you are still unauthorized follow these steps:
- enter different valid Application ID
- save systemuser
- enter correct one Application ID
- save systemuser
Your systemuser record will be updated with respective values obtained from Azure AD Application:
- Application ID URI
- Azure AD Object ID
Please ensure above values exist in Azure AD Application essentially Application ID URI is equal to App ID URI.
<< EDIT>> Since November 2017 below comments are no longer valid due to the fix in Dynamics 365 core.
Unfortunately, Application ID URI is read-only but is required to complete our goal. There is workaround, so you can update it programmatically.
- Fetch systemUser entry by domainname - technical user email
- Update applicationIdUri attribute of fetched systemUser entry with the APP ID URI (#2 on picture above) obtained from the Azure AD Application - MyDynamicsApp
QueryExpression query = new QueryExpression("systemuser")
ColumnSet = new ColumnSet("domainname", "applicationiduri", "systemuserid")
query.Criteria.AddCondition(new ConditionExpression("domainname", ConditionOperator.Equal, "[replace with CRM Technical User email adress]"));
OrganizationServiceProxy proxy; //TODO: instantiate the variable
var records = proxy.RetrieveMultiple(query);
if (records.Entities.Count == 1)
var entity = records.Entities.ElementAt(0);
entity.Attributes["applicationiduri"] = "[replace with APP ID URI (2) from the picture above]";
Now you should be able to call Dynamics CRM over Web API