Azure AD Conditional Access and Application Users / Service Principal in Dynamics 365

Through Azure AD Conditional Access, we can define and enforce policies regarding access to its cloud resources.

• Block access to Dynamics 365 by device platform
• Block access to Dynamics 365 by location.

Users who do not comply or are blocked with the conditional access policies defined will get the below error message after login.

The Conditional Access works seamlessly for user accounts.

However, Conditional Access doesn’t apply for the Application users (Azure AD Apps / Service Principals in Azure AD) accessing Dynamics 365 / Dataverse Web API.

Say e.g. we have the following policy defined, which applies to all users on the Common Data Service app.

Blocking access from any location or device platform.

Now if a user tries to access Dynamics 365 App, after login he gets the below message.

Now we have the following application user registered which has appropriate security roles assigned.

Now if we try to consume CRM / DataVerse Web API through the application user – client credentials, we can see it working without any exception

If we check the Microsoft Docs, it mentions all user accounts but not service principals.

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/faqs#does-a-conditional-access-policy-apply-to-service-accounts

Check the below link as well

https://stackoverflow.com/questions/51344114/is-azure-ad-conditional-access-supported-for-dynamics-365-web-services

https://docs.microsoft.com/en-us/answers/questions/119765/app-registrations-and-conditional-access.html

In case if we are using the ROPC (Resource Owner Password Credential) grant type, we will get the below exception there as we are using an user account (UserPasswordCredential)

More on consuming Dataverse / Dynamics 365 Web API

https://nishantrana.me/2021/01/06/sample-code-dynamics-365-web-api-organization-service/

Hope it helps..