azureodatadynamics-365-operationsdynamics-ax7

User unauthorized though the token is correct


I'm trying to integrate D365FO with a third party application, I was able to do the proper setup and register my app, fetch the Token as shown below:

enter image description here

I used the resource as the link for D365FO at the development machine, which is https://usnconeboxax1aos.cloud.onebox.dynamics.com/ and read the D365FO data as shown below:

enter image description here

I want to change the login method, so I do login on behalf of the user, using the password, so I Disabled the security details at Azure (based on this), as below:

enter image description here

And got the token of the logged user successful as below:

enter image description here

enter image description here

But once I tried fetching the same data which I was able to fetch before, I got 401 unauthorized, though I'm logging in using the Admin account:

enter image description here


Solution

  • The error 401 Unauthorized usually occurs if you make calls to the resource with invalid audience.

    When you generate the access token with scope as user.read openid profile offline_access, audience will be Microsoft Graph that won't work with D365FO.

    I tried to reproduce the same in my environment via Postman and got below results:

    I registered one Azure AD application and added same API permissions like below:

    enter image description here

    Now I generated tokens with grant type as password by including same parameters as you like below:

    POST https://login.microsoftonline.com/organizations/oauth2/v2.0/token
    
    client_id: <appID>
    client_secret: <secret>
    scope: user.read openid profile offline_access
    grant_type: password
    username: admin@xxxxxxxxx.onmicrosoft.com
    password: xxxxxxxxxxx
    

    Response:

    enter image description here

    You can decode the above access token by pasting it in jwt.ms to check the audience.

    When I decoded the access token, I got aud claim as 00000003-0000-0000-c000-000000000000 (i.e, Microsoft Graph) like below:

    enter image description here

    If you use this token to read D365FO data, you will get 401 Unauthorized error as audience is invalid.

    To resolve the error, you need to generate access token with resource value as base URL of your D365FO instance by making below changes:

    POST https://login.microsoftonline.com/organizations/oauth2/token
    
    client_id: <appID>
    client_secret: <secret>
    resource: <base URL of your D365FO instance without the trailing '/'>
    grant_type: password
    username: admin@xxxxxxxxx.onmicrosoft.com
    password: xxxxxxxxxxx
    

    In your case, value of resource parameter should be https://usnconeboxax1aos.cloud.onebox.dynamics.com

    This token will have audience same as your D365FO root URL. To confirm that, you can decode it in jwt.ms. If you use this token to read D365FO data, it will work!

    Reference:

    Test services by using third-party utilities - Finance & Operations | Dynamics 365 | Microsoft