Short Answer: No.
When you use the Dataverse application user pattern, you do not need to:
-
Add “Dynamics CRM” API permissions to your app registration, or
-
Click “Grant admin consent” in Entra ID (Azure AD).
Everything is governed by the Dataverse application user + security roles, not by Entra “API permissions”.
1. The Application User Pattern in Dataverse
For server-to-server integration with Dataverse, the recommended pattern is:
-
Create an app registration in Entra ID (Azure AD).
-
Create an application user in the Dataverse environment and link it to that app (clientId).
-
Assign security roles to that application user (e.g., a custom integration role or System Administrator in DEV).
That’s it.
You don’t need to configure Dynamics 365/Dataverse API permissions on the app registration itself.
Why? Because Dataverse treats the app registration as an identity, and then applies Dataverse security (roles, privileges) the same way it does for a normal user.
2. Why Your Token Works Without API Permissions
In code, you typically use MSAL like this (conceptually):
-
Authority: your tenant
-
Client credentials: clientId + clientSecret (or cert)
-
Scope:
When you call AcquireTokenForClient with the scope https://<org>.crm<x>.dynamics.com/.default, Entra:
-
Recognizes Dataverse as a first-party resource in the same tenant.
-
Issues an access token for that resource even if you did not pre-configure any “API permissions” for Dynamics CRM on the app registration.
When that token hits Dataverse, Dataverse checks:
-
Does this clientId match an application user in this environment?
-
What security roles does that application user have?
-
Does the role allow this operation (e.g., PATCH account, create contact, etc.)?
If yes, the request succeeds.
No Entra “admin consent” dialog is involved. The decision is made purely based on:
-
The application user record in Dataverse, and
-
The security roles assigned to it.
3. So What Is Admin Consent Actually For?
You care about app permissions + admin consent when you are accessing other APIs that use the standard “Application permissions” model, for example:
-
Microsoft Graph (e.g., reading users, mail, calendars, SharePoint, etc.).
-
Any custom API you expose and secure with app roles and consent.
-
Other Microsoft or third-party APIs that require explicit app permissions.
In those cases:
-
You add Application permissions (e.g.,
User.Read.All,Sites.Read.All) to the app registration. -
An admin clicks “Grant admin consent” so the tenant approves those permissions for the app.
-
Tokens for those APIs will then include the relevant permissions (roles/scopes).
For Dataverse, using the application user pattern:
-
You can leave API permissions empty on the app registration.
-
You do not need to grant admin consent for Dynamics CRM.
-
Access is controlled via Dataverse roles, not Graph-style app permissions.
4. Recommended Setup for Dataverse Integrations
When building a backend integration that only talks to Dataverse:
-
Create an app registration
-
Give it a name like
cisclio-dev-appor similar. -
Configure client secret or certificate.
-
No need to add “Dynamics CRM” API permissions.
-
-
Create an application user in Dataverse
-
Go to your environment → Settings → Users + permissions → Application users.
-
Add a new application user linked to the app registration.
-
Set a meaningful name (e.g., “CIS–Clio Integration (DEV)”).
-
-
Assign a security role
-
Use a custom role with only the privileges the integration needs (best practice).
-
For DEV you might temporarily use System Administrator to prove everything works, then tighten it down.
-
-
Use MSAL with client credentials
-
Acquire token using
AcquireTokenForClientand the Dataverse URL/.defaultscope. -
Call Dataverse Web API (
/api/data/v9.2/...) using that token.
-
-
Verify using Dataverse security, not Entra permissions
-
If something fails with
401/403, check the Dataverse role first. -
Only think about admin consent if you are also calling Graph or other APIs.
-
5. When You DO Need API Permissions + Admin Consent
You should configure API permissions and admin consent if:
-
Your integration also needs to call Microsoft Graph
-
Example: sync users, query groups, read SharePoint files, send emails via Graph.
-
-
You are calling other Microsoft APIs that rely on the app permission model.
-
You are building and securing your own custom API in Entra and want to control which apps can call it.
In those cases:
-
Add the relevant Application permissions on the app registration.
-
Have a tenant admin click Grant admin consent.
-
Keep this completely separate from the Dataverse application user logic.
6. Practical Checklist
Use this as a quick decision tree:
-
Is your code only calling Dataverse Web API with client credentials?
→ Use the Dataverse application user pattern.
→ No API permissions or admin consent required.
→ Control access via Dataverse security roles. -
Are you also calling Microsoft Graph or another external API?
→ Configure API permissions for those APIs.
→ Get admin consent.
→ Still use Dataverse application user pattern for Dataverse itself. -
Getting 403 from Dataverse?
→ Check the application user’s security roles in Dataverse, not Entra’s API permissions.
7. Summary
-
Dataverse application users do not rely on Entra “API permissions” for access control.
-
MSAL can acquire tokens for Dataverse using
https://<org>.crm<x>.dynamics.com/.defaulteven when the app registration has no Dynamics CRM permissions configured. -
Dataverse authorizes the call based solely on the application user record + its security roles.
-
You only need admin consent when calling Graph or other APIs that use the Application permissions model.
If you’re building a Dataverse-only backend integration, keep your app registration simple:
no Dynamics CRM API permissions, no admin consent – just an app registration, an application user, and the right Dataverse role.
No comments:
Post a Comment