Azure AD Conditional Access and Application Users / Service Principal in Dynamics 365


Through Azure AD Conditional Access, we can define and enforce policies regarding access to its cloud resources.

Users who do not comply or are blocked with the conditional access policies defined will get the below error message after login.

The Conditional Access works seamlessly for user accounts.

However, Conditional Access doesn’t apply for the Application users (Azure AD Apps / Service Principals in Azure AD) accessing Dynamics 365 / Dataverse Web API.

Say e.g. we have the following policy defined, which applies to all users on the Common Data Service app.

Blocking access from any location or device platform.

Now if a user tries to access Dynamics 365 App, after login he gets the below message.

Now we have the following application user registered which has appropriate security roles assigned.

Now if we try to consume CRM / DataVerse Web API through the application user – client credentials, we can see it working without any exception

If we check the Microsoft Docs, it mentions all user accounts but not service principals.

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/faqs#does-a-conditional-access-policy-apply-to-service-accounts

Check the below link as well

https://stackoverflow.com/questions/51344114/is-azure-ad-conditional-access-supported-for-dynamics-365-web-services

https://docs.microsoft.com/en-us/answers/questions/119765/app-registrations-and-conditional-access.html

In case if we are using the ROPC (Resource Owner Password Credential) grant type, we will get the below exception there as we are using an user account (UserPasswordCredential)

More on consuming Dataverse / Dynamics 365 Web API

https://nishantrana.me/2021/01/06/sample-code-dynamics-365-web-api-organization-service/

Hope it helps..

Advertisements

Author: Nishant Rana

I love working in and sharing everything about Microsoft.NET technology !

One thought on “Azure AD Conditional Access and Application Users / Service Principal in Dynamics 365”

Please share your thoughts

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.