How to externally authenticate and consume data from Dynamics 365 CE Web API

There are 4 steps to authenticate and consume data from the D365 CE Web API in the cloud. In this scenario, we are going to use what is called the OAuth 2.0 Authorization Code Flow. It is one of the ways you can authenticate your calls. Authorization code flow is good because it’s hands-off. I will be using Postman to demonstrate these steps. The steps are:

  1. Authorize using password grant type.
  2. Get Token
  3. Use Refresh Token to get new Token (this will be used to get the token when it expires)
  4. Make a request to consume data

Step 1: Authorize using password grant type to get impersonation token.

Make a GET request to with the header “content-type” = “application/x-www-form-urlencoded”. See Figure 1.

Figure 1: Headers

The body will include the client_id, resource, username, grant_type, client_secret, and password (See Figure 2). You can get the client_id and client_secret from the Azure Active Directory from an app that is authorized to access PowerPlatform, CDS, or Dynamics. The grant_type will be password.

You will get the access_token and refresh_token in response to this call. Note that the token will expire in 3599 seconds, which is 1 hour. This is where the refresh token will come in.

Figure 2

Step 2: Get the Token

The next step is to use the access token to get access token to consume the data. Make a POST request to:[[TENANTID]]/oauth2/token.

Note: You can get the tenant ID from Azure AD or from the login url when you’re authenticating into Microsoft products.

Get the access token from the first call and put it into the authorization field in Postman with TYPE being Bearer token. This will create a header that’s “authorization” : “Bearer [token]”. See Figure 3

Figure 3

Header remains content-type: application/x-www-form-urlencoded. See Figure 4.

Figure 4

The body this time will have the client_id, client_secret, grant_type of client_credentials, resource (url of your instance) and your tenant_id.

FIgure 5

The response will include an access token you can use to consume data from your resource. This is different from the access_token we received earlier because the scope of that token was only user_impersonation. This token will also expire in 1 hour. In the next step we will see how to get a new token from the refresh token.

Figure 6

Step 3: Get a new token using the refresh token

At this point, you can consume data from the Web API using the access token from step 2, but it will expire in 1 hour and if you want to keep getting a new password every hour, you’ll have to hard code your password in step 1. We want to avoid putting our passwords in places so we will use the refresh token to get a new password before it expires in the allotted 1 hour.

So we make a POST request to[TENANTID]/oauth2/v2.0/token. The authorization type is bearer and we use the same access token from step 2. This will add a header “authorization”:”Bearer [token]” to the request. See figure 7.

Figure 7

The body includes client_id, resource, refresh_token, and secret (See figure 8). Note: we got the refresh token in step 1. Use this refresh token to get a new access token before it expires, and you won’t need to put step 1 in your code.

Figure 8

You will get a response with a new access token and refresh token with a 1-hour expiration time. No username or password required.

Figure 9

Step 4: Consume data

You can now continuously consume data from the web API using the access_token. Make a GET request to the resource you want. In my case, I will be pulling the top ten accounts. The authorization will be the Bearer Token (access_token from step 3). See figure 10.

Figure 10

You won’t need any specific headers besides the bearer token authorization which is being generated from the authorization above, but you can put in “content-type” of “application/json”, or other recommended OData headers if you want. Run the request and you’ll get your consumable data (See figure 11). You can also call actions or do CRUD operations with this token. Just make sure to refresh it before it expires.

Figure 11
Filed under: Blog

No comment yet, add your voice below!

Add a Comment

Your email address will not be published. Required fields are marked *

Comment *
Name *
Email *

This site uses Akismet to reduce spam. Learn how your comment data is processed.