In the last post we learned about connecting to Dynamics 365 Web API using Resource Owner Password Credential (ROPC), here we’d be covering the Client Credentials grant.
Client Credentials grant is designed for the client applications who are the resource owner and when basically there are no users involved, a batch (cron) job or a service using Web API, running in the background, on the server is one such example.
Here we will not be using the authorization endpoint, and the client application will be sending its own credential, instead of impersonating a user, directly to the token endpoint. The benefit compared to basic authentication or API keys is that credentials are not being sent with every request, it is only sent while requesting the access tokens along with all the other benefits of using access token – stateless, fine-grained access control, access token lifetime etc.
Let us see an example of using the Client Credentials grant in our console application. Along with the Client Id that we got when we registered our client application in the Azure Active Directory, we would need the Client Secret.
Follow the below steps to generate the Client Secret
Login to Azure Admin Portal
Select the application registered and click on Certificates & secrets option
Click on New client secret button to generate the client secret. Copy the generated client secret. Select the expiry as per the need.
Copy the secret generated and save it, as it won’t be available later when we are navigating here.
Also, we can get the Authentication Token Endpoint, for that navigate to Overview à Endpoints
And copy the OAuth 2.0 token endpoint.
Next step is to create the Application User within Dynamics 365 CE corresponding to the client application.
Login to Dynamics 365 CE, Settings à Security à Users àset View as Application Users and click on New button
Set Application Id as the Client Id of the Application registered and specify other mandatory values and save the record.
Assign appropriate security role to the new application user added.
Sample C# Code à
static void Main(string args)
// Dynamics CRM Online Instance URL
string resource = "https://bankfabdemo.crm.dynamics.com";
// client id and client secret of the application
ClientCredential clientCrendential = new ClientCredential("eb17e844-adfc-4757-ba6d-5384108e184a",
// Authenticate the registered application with Azure Active Directory.
AuthenticationContext authContext =
AuthenticationResult authResult = authContext.AcquireToken(resource, clientCrendential);
var accessToken = authResult.AccessToken;
// use HttpClient to call the Web API
HttpClient httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", authResult.AccessToken);
httpClient.BaseAddress = new Uri("https://bankfabdemo.crm.dynamics.com/api/data/v9.0/");
var response = httpClient.GetAsync("WhoAmI").Result;
var userDetails = response.Content.ReadAsStringAsync().Result;
Within Fiddler à
Within Postman à
Hope it helps..