Use connection strings in XRM tooling to connect to Microsoft Dataverse

With Dataverse, XRM tooling enables you to connect to your Dataverse environment by using connection strings. This is similar to the concept of connection strings used with SQL Server. Connection strings have native support in configuration files, including the ability to encrypt the configuration sections for maximum security. This enables you to configure Dataverse connections at deployment time, and not hard code in your application to connect to your Dataverse environment.

Read the following important information about using a connection string in application code.

Important

Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this article requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.

Create a connection string

You specify the connection string in the app.config or web.config file for your project, as shown in the following example.

<connectionStrings>  
    <add name="MyCDSServer" connectionString="AuthType=OAuth;Username=jsmith@contoso.onmicrosoft.com;Password=passcode;Url=https://contosotest.crm.dynamics.com;AppId=51f81489-12ee-4a9e-aaae-a2591f45987d;RedirectUri=app://58145B91-0C36-4500-8554-080854F2AC97;TokenCacheStorePath=c:\MyTokenCache;LoginPrompt=Auto"/>
</connectionStrings>  

Important

If you add any sensitive information to the app.config or web.config file, for example an account password, be sure to take appropriate security precautions to protect the information.

After creating the connection string, you use it to create a CrmServiceClient object.

//Use the connection string named "MyCDSServer"  
//from the configuration file  
CrmServiceClient svc = new CrmServiceClient(ConnectionString);  

Alternately, you could use the ServiceClient class.

ServiceClient svc = new ServiceClient(ConnectionString);  

Note

You'll have to use the following using directive in your code to reference the System.Configuration namespace to access the connection string in your code: using System.Configuration;

After creating a service client object, you can use the object to perform actions in Dataverse. More information: Use XRM Tooling to execute actions in Dataverse

Connection string parameters

The connection string contains a series of name=value pair separated by semi colons. The following table lists supported parameters, which can be entered in any order.

Parameter name Description
ServiceUri, Service Uri, Url, or Server Specifies the URL to the Dataverse environment. The URL can use http or https protocol, and the port is optional. The default port is 80 for the http protocol and 443 for the https protocol. The server URL is typically in the format https://<organization-name>.crm.dynamics.com

The organization-name is required.
UserName, User Name, UserId, or User Id Specifies the user's identification name associated with the credentials.
Password Specifies the password for the user name associated with the credentials.
HomeRealmUri or Home Realm Uri Specifies the Home Realm Uri.
AuthenticationType or AuthType Specifies the authentication type to connect to Dataverse environment. Valid values are: AD, IFD (AD FS enabled), OAuth, Certificate, ClientSecret, or Office365. However, only OAuth, Certificate, ClientSecret and Office365 are permitted values for Dataverse environments.

NOTE: Office365 authentication type is deprecated, and we recommend to use OAuth as the preferred authentication type. More information: What should I do to fix my application code if affected?
RequireNewInstance Specifies whether to reuse an existing connection if recalled while the connection is still active. If set to true, will force the system to create a unique connection. If set to false the existing connection can be reused.
ClientId, AppId or ApplicationId Specifies the ClientID assigned when you registered your application in Microsoft Entra ID or Active Directory Federation Services (AD FS).
ClientSecret or Secret Required when Auth Type is set to ClientSecret. Client Secret string to use for authentication.
RedirectUri or ReplyUrl Specifies the redirect URI of the application you registered in Microsoft Entra ID or Active Directory Federation Services (AD FS).

This parameter is applicable only when the authentication type is specified as OAuth.
TokenCacheStorePath Specifies the full path to the location where the user token cache should be stored. The running process should have access to the specified path. It is the processes responsibility to set and configure this path.

This parameter is applicable only when the authentication type is specified as OAuth.
LoginPrompt Specifies whether the user is prompted for credentials if the credentials are not supplied. Valid values are:

- Always: Always prompts the user to specify credentials.
- Auto: Allows the user to select in the login control interface whether to display the prompt or not.
- Never: Does not prompt the user to specify credentials. If using a connection method does not have a user interface, you should use this value.

This parameter is applicable only when the authentication type is specified as OAuth.
StoreName or CertificateStoreName Specifies the store name where the certificate identified by thumbprint can be found. When set, Thumbprint is required.
Thumbprint or CertThumbprint Specifies the thumbprint of the certificate to be utilized during an S2S connection. When set, AppID is required and UserID and Password values are ignored.
Integrated Security Specifies to use current windows credentials to attempt to create a token for the instances. As of NuGet release Microsoft.CrmSdk.XrmTooling.CoreAssembly Version 9.1.0.21

Note

When using the OAuth AuthType\AuthenticationType
For development and prototyping purposes we have provided the following AppId or ClientId and Redirect URI for use in OAuth Flows.
For production use, you should create an AppId or ClientId that is specific to your tenant in the Azure Management portal.
Sample AppId or ClientId = 51f81489-12ee-4a9e-aaae-a2591f45987d
Sample RedirectUri = app://58145B91-0C36-4500-8554-080854F2AC97

Connection string examples

The following examples show how you can use connection strings for connecting to online deployments and authentication scenarios. The connection string examples for on-premises and IFD deployment instances is now available in the Dynamics 365 Customer Engagement (on-premises) documentation at: Use connection strings in XRM tooling to connect

Named account using Office365

Create a new connection to Dataverse using a UserName or Password via Office365.

Note

This AuthType is deprecated and we recommend to use OAuth as the preferred authentication type. More information: Authenticate using Office365

<add name="MyCDSServer" 
 connectionString="
  AuthType=Office365;
  Username=jsmith@contoso.onmicrosoft.com; 
  Password=passcode;
  Url=https://contoso.crm.dynamics.com"/>  

OAuth using named account in Microsoft 365 with UX to prompt for authentication

Create a new connection to Dataverse using a UserID or Password via OAuth.

Note

OAuth is the preferred auth type for connecting to Dataverse when using an interactive flow. This auth type fully supports the features of Microsoft Entra ID Conditional Access and Multi-Factor authentication.

<add name="MyCDSServer"
 connectionString="
  AuthType=OAuth;
  Username=jsmith@contoso.onmicrosoft.com;
  Password=passcode;
  Url=https://contosotest.crm.dynamics.com;
  AppId=51f81489-12ee-4a9e-aaae-a2591f45987d;
  RedirectUri=app://58145B91-0C36-4500-8554-080854F2AC97;
  TokenCacheStorePath=c:\MyTokenCache;
  LoginPrompt=Auto"/>  

OAuth using current logged in user with fall back UX to prompt for authentication

Create a new connection to Dataverse using the current logged in user via OAuth.

Note

OAuth is the preferred auth type for connecting to Dataverse when using a interactive flow. This auth type fully supports the features of Microsoft Entra ID Conditional Access and Multi-Factor authentication.

<add name="MyCDSServer"
 connectionString="
  AuthType=OAuth;
  Username=jsmith@contoso.onmicrosoft.com;
  Integrated Security=true;
  Url=https://contosotest.crm.dynamics.com;
  AppId=51f81489-12ee-4a9e-aaae-a2591f45987d;
  RedirectUri=app://58145B91-0C36-4500-8554-080854F2AC97;
  TokenCacheStorePath=c:\MyTokenCache\msal_cache.data;
  LoginPrompt=Auto"/>  

Certificate based authentication

Create a new connection to Dataverse using a Application or Client Id and a Certificate.

<add name="MyCDSServer" 
  connectionString="
  AuthType=Certificate;
  url=https://contosotest.crm.dynamics.com;
  thumbprint={CertThumbPrintId};
  ClientId={AppId};"
  />

ClientId or Client Secret based authentication

Create a new connection to Dataverse using a Application or Client Id and a Client Secret.

<add name="MyCDSServer" 
  connectionString="
  AuthType=ClientSecret;
  url=https://contosotest.crm.dynamics.com;
  ClientId={AppId};
  ClientSecret={ClientSecret}"
  />

Determine your connection status

To determine if the connection request was successful, check the value of the CrmServiceClient.IsReady property. If true, the connection is successful, and you are ready to work. Otherwise, check the values of the CrmServiceClient.LastCrmError and CrmServiceClient.LastCrmException properties for the cause of the connection failure.

See also

Build Windows client applications using the XRM tools
Use CrmServiceClient constructors to connect to Dataverse
Use XRM Tooling to execute actions in Dataverse
CrmServiceClient