2

We are trying to connect to a custom Dynamics 365 Finance service operation but are struggling to authorize.

We've set up an app registration

  • Redirect_uri set to the dynamics url (root)
  • Enabled implicit grant (both for access tokens and ID tokens)
  • Single tenant
  • Assigned the "Dynamics ERP > CustomService.FullAccess" API permission
  • Assigned the "Dynamics ERP > Odata.FullAccess" API permission
  • Assigned "Dynamicd ERP > Connector.FullAccess" API permission + granted admin consent for entire AD
  • Created a secret

We've added the Application (client ID) within the Dynamics 365 environment with a user which has System Administrator role We can successfully retrieve access tokens both via Postman and .NET (Microsoft.IdentityModel.Clients.ActiveDirectory) enter image description here we tried to reach both https://xxxxxxdevaossoap.cloudax.dynamics.com &https://xxxxxxdevaos.cloudax.dynamics.com

Yet when we call custom services, we get a 401 UnAuthorized enter image description here A call to Odata also fails for the same reason. enter image description here

Alex Kwitny
  • 11,211
  • 2
  • 49
  • 71
Reinard
  • 3,624
  • 10
  • 43
  • 61
  • [Troubleshoot service authentication](https://learn.microsoft.com/en-us/dynamics365/fin-ops-core/dev-itpro/data-entities/troubleshoot-service-authentication) might contain some ideas. – FH-Inway Oct 24 '19 at 19:18
  • Are you missing the `tenante_id`? I haven't had to do this in a couple years. Here's an article that might help: https://learn.microsoft.com/en-us/dynamics365/fin-ops-core/dev-itpro/data-entities/third-party-service-test I vaguely remember there being `GUID` that you might need that you get from your endpoint permissions, but that might be needed for logic apps. – Alex Kwitny Oct 24 '19 at 21:10

1 Answers1

3

Verify resource in your request for OAuth token (and verify token at https://jwt.io for aud (Audience) field). It should be same as your primary url without / at the end (like https://d365fo-10-12345678baef10230aos.cloudax.dynamics.com).

Also verify that Azure Active Directory applications (mi=SysAADClientTable) Client Id is equal to appid field in the token (and without any special characters).

You can always inspect Windows Event Log Microsoft-Dynamics-AX-WebApi/Operational There is good information like this:

Source:      Microsoft-Dynamics-AX-WebApi
Category:    WebApiOwinConfigurationMissingError
Level:       Error
Description: Web API Owin Authentication Configuration Missing Error
infoMessage: Can read the token but failed validating token with exception 
'IDX10214: Audience validation failed. 
Audiences: 'https://d365fo-10-12345678baef10230aos.cloudax.dynamics.com/'. 
Did not match:  validationParameters.
ValidAudience: 'null' or validationParameters.ValidAudiences:
 'https://d365fo-10-12345678baef10230aos.cloudax.dynamics.com,
 00000015-0000-0000-c000-000000000000,
 Microsoft.ERP''
Matej
  • 7,517
  • 2
  • 36
  • 45
  • 1
    Thanks for the event log location. We found our problem in there. Ended up being related to sending it to "devaossoap" instead of "devaos". Although we tested both before but I guess we must've changed something else somewhere in the mean time. Thanks, man! – Reinard Oct 28 '19 at 15:32