I'm trying to integrate D365FO with a third party application, I was able to do the proper setup and register my app, fetch the Token as shown below:
I used the resource
as the link for D365FO at the development machine, which is https://usnconeboxax1aos.cloud.onebox.dynamics.com/
and read the D365FO data as shown below:
I want to change the login method, so I do login on behalf of the user, using the password, so I Disabled the security details at Azure (based on this), as below:
And got the token of the logged user successful as below:
But once I tried fetching the same data which I was able to fetch before, I got 401 unauthorized, though I'm logging in using the Admin
account:
The error 401 Unauthorized
usually occurs if you make calls to the resource with invalid audience.
When you generate the access token with scope
as user.read openid profile offline_access, audience will be Microsoft Graph that won't work with D365FO.
I tried to reproduce the same in my environment via Postman and got below results:
I registered one Azure AD application and added same API permissions like below:
Now I generated tokens with grant type as password
by including same parameters as you like below:
POST https://login.microsoftonline.com/organizations/oauth2/v2.0/token
client_id: <appID>
client_secret: <secret>
scope: user.read openid profile offline_access
grant_type: password
username: admin@xxxxxxxxx.onmicrosoft.com
password: xxxxxxxxxxx
Response:
You can decode the above access token by pasting it in jwt.ms to check the audience.
When I decoded the access token, I got aud claim as 00000003-0000-0000-c000-000000000000
(i.e, Microsoft Graph) like below:
If you use this token to read D365FO data, you will get 401 Unauthorized error as audience is invalid.
To resolve the error, you need to generate access token with resource
value as base URL of your D365FO instance by making below changes:
POST https://login.microsoftonline.com/organizations/oauth2/token
client_id: <appID>
client_secret: <secret>
resource: <base URL of your D365FO instance without the trailing '/'>
grant_type: password
username: admin@xxxxxxxxx.onmicrosoft.com
password: xxxxxxxxxxx
In your case, value of resource parameter should be https://usnconeboxax1aos.cloud.onebox.dynamics.com
This token will have audience same as your D365FO root URL. To confirm that, you can decode it in jwt.ms. If you use this token to read D365FO data, it will work!
Reference:
Test services by using third-party utilities - Finance & Operations | Dynamics 365 | Microsoft