Dynamics CRM daemon app with Client Assertion Certificate (Azure AD) gives 401

Question

I am working on an app where I need to keep talking to some of the Dynamics CRM APIs in background jobs (every several minutes to upload updated content).

Since ADAL authentication with user credentials (app permissions) use flawlessly with CRM APIs, I was under impression that I will get it working with Client Assertion Certificate Credentials as well.

Code looks something like this -

var certCred = new ClientAssertionCertificate(clientId, cert);
var result = await authContext.AcquireTokenAsync("https://<tenant_name>.crm4.dynamics.com/", certCred);

This works and I am able to get the access token. However since these are delegate permissions, I am not able to perform get authorized to access CRM WebAPIs.

I can obviously use service / daemon account to perform background tasks but I wanted to do it more in client assertion certificate way. Has anyone found the solution to scenarios like this? Does CRM WebAPI support delegate permissions?

Is there any other way to do it?

Answer 1

I want to clarify some concepts first. The client credential flow is used for acquiring the application permission instead of delegated permissions for the app. Normally, the OAuth 2.0 code grant flow is used to acquire the delegate permission.

From the description, it seems that you want to acquire the application permission through the client credential flow, however the token is invalidate to call the Dynamics CRM Web API. After the researching, I found this issue was raised several times however there is no answer.

Based on my understanding, the Dynamics CRM Web API seem doesn’t support the app-token(acquiring using client credential flow) because when you register the apps for this API on Azure, we are not able to check any permission/scope for the application level like figure below: