If you want to call Dynamics CRM over Web API you have to enable binding between Dynamics CRM and Azure AD Application.
In order to enable Dynamics CRM in Azure Logic App using Azure AD Authentication (OAuth) you need to create Azure AD Application (Application Identity) and grant sufficient permissions.
There is already great guideline however covers the topic partially only.
Create Azure AD Application
How to create Azure AD Application you can find here. Let’s create the Application called MyDynamicsApp for reference.
You need to create a Key (secret). Don’t forget to copy the secret because it will appear only once you have created results you will not be able to obtain the value again regardless permission.
Once you have created Azure AD Application you need to grant permissions to Dynamics CRM API by navigating to your recently created Azure AD Application and Required Permissions then click Add button and select Dynamics CRM from the API list.
Under DELEGATED PERMISSIONS select permission and Save.
To avoid displaying the consent form while browsing to your Dynamics CRM instance you can click Grant Permissions button which is visible when you navigate to Required Permissions.
Update CRM Technical User
In order to enable systemuser in Dynamics CRM navigate to Settings -> Security -> Users and select technical user. Switch form view to Application User.
Please note in case your Dynamics CRM instance is set to use Active Directory Federation Service (ADFS) you need to provision a user with onmicrosoft.com domain.
Now you are ready to enable technical user with Azure Application Identity. Enter an Application ID of your MyDynamicsApp Application ID and save.
Once you entered an Azure Application ID to Dynamics 365 SystemUser form you should be able to connect over WebAPI.
In case you are still unauthorized follow these steps:
- enter different valid Application ID
- save systemuser
- enter correct one Application ID
- save systemuser
Your systemuser record will be updated with respective values obtained from Azure AD Application:
- Application ID URI
- Azure AD Object ID
Please ensure above values exist in Azure AD Application essentially Application ID URI is equal to App ID URI.
<< EDIT>> Since November 2017 below comments are no longer valid due to the fix in Dynamics 365 core.
Unfortunately, Application ID URI is read-only but is required to complete our goal. There is workaround, so you can update it programmatically.
- Fetch systemUser entry by domainname - technical user email
- Update applicationIdUri attribute of fetched systemUser entry with the APP ID URI (#2 on picture above) obtained from the Azure AD Application - MyDynamicsApp
QueryExpression query = new QueryExpression("systemuser")
ColumnSet = new ColumnSet("domainname", "applicationiduri", "systemuserid")
query.Criteria.AddCondition(new ConditionExpression("domainname", ConditionOperator.Equal, "[replace with CRM Technical User email adress]"));
OrganizationServiceProxy proxy; //TODO: instantiate the variable
var records = proxy.RetrieveMultiple(query);
if (records.Entities.Count == 1)
var entity = records.Entities.ElementAt(0);
entity.Attributes["applicationiduri"] = "[replace with APP ID URI (2) from the picture above]";
Now you should be able to call Dynamics CRM over Web API