User unauthorized though the token is correct

Question

I'm trying to integrate D365FO with a third party application, I was able to do the proper setup and register my app, fetch the Token as shown below:

I used the resource as the link for D365FO at the development machine, which is https://usnconeboxax1aos.cloud.onebox.dynamics.com/ and read the D365FO data as shown below:

I want to change the login method, so I do login on behalf of the user, using the password, so I Disabled the security details at Azure (based on this), as below:

And got the token of the logged user successful as below:

But once I tried fetching the same data which I was able to fetch before, I got 401 unauthorized, though I'm logging in using the Admin account:

Have to do some research on this. If you have access, check https://www.yammer.com/dynamicsaxfeedbackprograms/threads/1977086491377664 where something similar along these lines is described. — FH-Inway, Jan 29 '23 at 18:07
@Hasan A Yousef, could you include the value of the **resource** parameter in the first request and your app's `API permissions` snapshot too? — Sridevi, Jan 30 '23 at 07:14
@Sridevi the `resource` used is the default link for D365FO at the development machine, which is `https://usnconeboxax1aos.cloud.onebox.dynamics.com/` — Hasan A Yousef, Jan 30 '23 at 11:57

score 2 · Accepted Answer · answered Jan 30 '23 at 12:09

The error 401 Unauthorized usually occurs if you make calls to the resource with invalid audience.

When you generate the access token with scope as user.read openid profile offline_access, audience will be Microsoft Graph that won't work with D365FO.

I tried to reproduce the same in my environment via Postman and got below results:

I registered one Azure AD application and added same API permissions like below:

enter image description here

Now I generated tokens with grant type as password by including same parameters as you like below:

POST https://login.microsoftonline.com/organizations/oauth2/v2.0/token

client_id: <appID>
client_secret: <secret>
scope: user.read openid profile offline_access
grant_type: password
username: admin@xxxxxxxxx.onmicrosoft.com
password: xxxxxxxxxxx

Response:

enter image description here

You can decode the above access token by pasting it in jwt.ms to check the audience.

When I decoded the access token, I got aud claim as 00000003-0000-0000-c000-000000000000 (i.e, Microsoft Graph) like below:

enter image description here

If you use this token to read D365FO data, you will get 401 Unauthorized error as audience is invalid.

To resolve the error, you need to generate access token with resource value as base URL of your D365FO instance by making below changes:

POST https://login.microsoftonline.com/organizations/oauth2/token

client_id: <appID>
client_secret: <secret>
resource: <base URL of your D365FO instance without the trailing '/'>
grant_type: password
username: admin@xxxxxxxxx.onmicrosoft.com
password: xxxxxxxxxxx

In your case, value of resource parameter should be https://usnconeboxax1aos.cloud.onebox.dynamics.com

This token will have audience same as your D365FO root URL. To confirm that, you can decode it in jwt.ms. If you use this token to read D365FO data, it will work!

Reference:

Test services by using third-party utilities - Finance & Operations | Dynamics 365 | Microsoft

Thanks a lot, is the `client_secret` required, as I was to get the token without it! — Hasan A Yousef, Jan 30 '23 at 14:05
The `client_secret` is **not** required if you enabled the [Allow public client flows](https://i.imgur.com/GIzcmHt.png) option. — Sridevi, Jan 30 '23 at 14:40
Thanks, I switched off and it required the client_secret, deeply appreciate your support. — Hasan A Yousef, Jan 31 '23 at 05:10

User unauthorized though the token is correct

1 Answers1

Linked