MSAL Allowed access to Dynamics CRM SystemUsers table

Question

The end goal is to have a python script run at a scheduled time and export our Dynamics 365 CRM systemusers table. This is part of building a data warehouse for the company and a learning endeavor for myself. I am aware that there are other approaches, but am hoping that someone here can help cut through the documentation to confirm my reading.

I believe the documentation is referring to this as a daemon application.

https://learn.microsoft.com/en-us/entra/identity-platform/scenario-daemon-app-configuration?tabs=idweb

My issue is that when I connect with the MSAL library from my script as a 'ConfidentialClientApplication' the resulting app is not able to query the CRM systemuers table. If I use the same 'Azure app' but if I create a 'PublicClientApplication'. I am able to access the CRM systemusers table.

I believe that for my App Registration, I need to have 'user_impersonation' permission for Dynamics CRM and this can only be granted as a 'delegated' permission, which the daemon application 'can't use'?

Output from my script

environmenturi = 'https://

Answer 1

Hi @John Nickell

In a confidential client app, you are requesting a token with an audience of Graph API instead of Dynamics CRM Web API, which will throw a 401 Unauthorized error. Try changing the "scope" to "https://<ourdomain>.crm.dynamics.com/.default".

However, I noticed that Azure AD does not provide any application permissions for the Dynamics CRM Web API, so it might not support daemons yet. I suggest you retry after changing the "scope" to check the result.

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.