Before being able to run REST APIs to do specific tasks programmatically in Dynamics 365 for Finance and Operations (hereby known as D365FO), the application needs to be able to authenticate the code that it is coming from a trusted source.

By far the most common deployment to date is Azure cloud deployment of D365FO. Occasionally there is the odd on-premise deployment as well. This blog hopefully gets you pass the hurdle of how to get the Authentication token to run REST APIs.

 

Client credentials grant flow method

This is specified by Microsoft here:

https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow#client-credentials-grant-flow-diagram

 

The steps are:

  1. The client application authenticates to the Azure AD token issuance endpoint and requests an access token.
  2. The Azure AD token issuance endpoint issues the access token.
  3. The access token is used to authenticate to the secured resource.
  4. Data from the secured resource is returned to the client application.

 

Getting the necessary Application ID, Client Key and other information.

Before being able to authenticate, you will need some information.  

 

Azure On-Cloud deployment

 For Azure deployments, the steps are:

  1. Register an App

More detail here:

https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v1-integrate-apps-with-azure-ad

And here:

https://docs.microsoft.com/en-us/dynamics365/unified-operations/supply-chain/warehousing/install-configure-warehousing-app#create-a-web-service-application-in-azure-active-directory

  1. Give the app all Dynamics ERP permissions

3. Get the following detail

a. Token Endpoint

b. Client ID

c. Display name

d. Client Secret

e. D365FO Base URL – the URL that you use to access the homepage of the D365FO application

On-Premise deployment

You need the following from your D365FO administrator:

  1. AuthTokenEndPoint – Also known as the URI – It is usually the Tenant ID with ‘/oauth2/token’ appended behind it.
  2. Client (App) ID
  3. Client Key
  4. D365FO Base URL – the URL that you use to access the homepage of the D365FO application. Usually ends with ‘/AXSF’
  5. Resource – Also the redirect uri – it is the D365FO Base URL without the ‘/namespaces/AXSF/’ at the end
  6. Tenant ID – Usually ends with ‘ADFS’

 

Powershell script

The powershell scripts for both deployment types are largely similar except for the following:

Azure cloud deployment On-premise deployment
Resource not required Resource required
Tenant_ID not required Tenant_ID required
Scope is required Scope not required

 

Azure cloud deployment

param
(
    [string] $oAuthTokenEndpoint = 'https://login.microsoftonline.com/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx/oauth2/token',
    [string] $appName = 'XXX',
    [string] $appId = 'xxxxxxx',
    [string] $appKey = 'xxxxxxxx',
    [string] $d365BaseUrl = 'https://xxxxxxxx.operations.dynamics.com'
)

# Token Authorization URI
$uri = "$($oAuthTokenEndpoint)?api-version=1.0"

# Access Token Body
$formData = 
@{
    client_id = $appId;
    client_secret = $appKey;
    scope = "$($appName)/.default";
    grant_type = 'client_credentials';
}

# Parameters for Access Token call
$params = 
@{
    URI = $uri
    Method = 'Post'
    ContentType = 'application/x-www-form-urlencoded'
    Body = $formData
}

$response = Invoke-RestMethod @params -ErrorAction Stop
Write-Output $response.access_token

On-premise deployment

param
(
    [string] $oAuthTokenEndpoint = 'https://adfs.xxxxxxx.com/adfs/oauth2/token', 
    [string] $appName = 'ActionAnalytics',
    [string] $appId = 'xxxxxxxxx',
    [string] $appKey = 'xxxxxxxxxxxx',
    [string] $d365BaseUrl = 'https://xxx.xxxxxxx.xxxxxxxxxxxxxxxxx.com/namespaces/AXSF',
    [string] $resource = 'https://xxx.xxxxxxx.xxxxxxxxxxxxxxxxxx.com',
    [string] $tenantid = 'https://xxx.xxxxxxxxxxxxxxxxxxxx.com/adfs'
    
)

# Token Authorization URI
$uri = "$($oAuthTokenEndpoint)?api-version=1.0"

# Access Token Body
$formData = 
@{
    client_id = $appId;
    client_secret = $appKey;
    grant_type = 'client_credentials';
    resource = $resource;
    tenant_id = $tenantid;
}

# Parameters for Access Token call
$params = 
@{
    URI = $uri
    Method = 'Post'
    ContentType = 'application/x-www-form-urlencoded'
    Body = $formData
}

$response = Invoke-RestMethod @params -ErrorAction Stop
Write-Output $response.access_token

In the case of On-Premise deployment, please note that you may have to install the SSL Certificate on the PC running the Powershell script so that the application can find the trusted certificate.

 

 

One Reply to “How to get Authentication Token for Dynamics 365 Finance and Operations on-premise and cloud deployments to run REST API using Powershell and the client credentials grant method”

Leave a Reply

Your email address will not be published.