Share via

MSAL Allowed access to Dynamics CRM SystemUsers table

John Nickell 61 Reputation points
2025-01-15T21:51:37.7+00:00

The end goal is to have a python script run at a scheduled time and export our Dynamics 365 CRM systemusers table. This is part of building a data warehouse for the company and a learning endeavor for myself. I am aware that there are other approaches, but am hoping that someone here can help cut through the documentation to confirm my reading.

I believe the documentation is referring to this as a daemon application.

https://learn.microsoft.com/en-us/entra/identity-platform/scenario-daemon-app-configuration?tabs=idweb

My issue is that when I connect with the MSAL library from my script as a 'ConfidentialClientApplication' the resulting app is not able to query the CRM systemuers table. If I use the same 'Azure app' but if I create a 'PublicClientApplication'. I am able to access the CRM systemusers table.

I believe that for my App Registration, I need to have 'user_impersonation' permission for Dynamics CRM and this can only be granted as a 'delegated' permission, which the daemon application 'can't use'?

Output from my script

environmenturi = 'https://<ourdomain>.crm.dynamics.com/'

request_uri = f'{environmentURI}api/data/v9.2/systemusers'

... after composing a requests session

r = session.get(request_uri)

r.status_code = 200

I can then get r.json() and have the iterable system users table.

When I compose an msal.ConfidentialClientApplication() with the scope of "scope": [ "https://graph.microsoft.com/.default"]

the results after acquiring a token for the application is a 401 / Unauthorized

What am I missing? Is it possible to do this?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,884 questions
Dynamics 365 Training
Dynamics 365 Training
Dynamics 365: A Microsoft cloud-based business platform that provides customer relationship management and enterprise resource planning solutions.Training: Instruction to develop new skills.
157 questions
0 comments
Accepted answer
  1. CarlZhao-MSFT 44,851 Reputation points
    2025-01-16T10:57:31.87+00:00

    Hi @John Nickell

    In a confidential client app, you are requesting a token with an audience of Graph API instead of Dynamics CRM Web API, which will throw a 401 Unauthorized error. Try changing the "scope" to "https://<ourdomain>.crm.dynamics.com/.default".

    However, I noticed that Azure AD does not provide any application permissions for the Dynamics CRM Web API, so it might not support daemons yet. I suggest you retry after changing the "scope" to check the result.

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.