Overview
When integrating an external system (such as a chatbot) with Dynamics 365, the integration typically relies on the Microsoft Dataverse Web API. Before any business logic can be built, you need four foundational building blocks:
- Entra App Registration (identity)
- Dataverse Application User (authorization within the environment)
- OAuth access token (authentication to call the API)
- A simple validation request (confirm everything works end-to-end)
The goal of this post is to keep the work scoped to enabling access and confirming connectivity, not the bot’s downstream implementation.
Phase 1 — Entra App Registration
Start by creating an application registration in Microsoft Entra ID. This provides a dedicated identity for the integration to authenticate against your tenant.
- Go to Entra Admin Center → App registrations → New registration
- Provide a meaningful Name
- Select the appropriate Supported account types for your scenario
- For development/testing, set a Redirect URI such as
http://localhost(if needed) - After registration, record the Application (client) ID and Directory (tenant) ID
API Permissions
Next, grant permissions so the app can access Dataverse via the Dynamics endpoint:
- Navigate to API permissions → Add a permission
- Select Dynamics CRM
- Add Delegated permissions →
user_impersonation
Client Secret
Create a client secret that your integration can use to request tokens:
- Certificates & secrets → New client secret
- Choose an expiration (keep in mind secret rotation for operational stability)
- Copy the secret value immediately and store it securely
Phase 2 — Create a Dataverse Application User
The app registration is only the identity in Entra. Dataverse still needs a corresponding Application User inside the environment so security roles can be applied.
- Open Power Platform admin center
- Select Environments → choose the target environment
- Go to Settings → Users + permissions → Application users
- Select + New app user
- Choose a Business unit, then select the app registration you created
- Assign appropriate Security roles
For initial validation, many teams temporarily assign a broad role to confirm connectivity. For production, prefer least-privilege roles aligned to the integration’s exact read/write needs.
Phase 3 — Generate an Access Token
With identity and authorization in place, the developer (or middleware service) can request an OAuth access token.
This token will be used as a Bearer token for Dataverse Web API requests.
Token Request (Client Credentials)
A common modern approach is the v2.0 token endpoint with a .default scope against your Dataverse org URL.
Below is a practical form-encoded request outline.
POST https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
client_id=<APPLICATION_CLIENT_ID>
client_secret=<CLIENT_SECRET_VALUE>
scope=https://<YOURORG>.crmX.dynamics.com/.default
A successful response returns JSON containing access_token, expires_in, and token_type.
You’ll use access_token as the authorization header for the API calls that follow.
Phase 4 — Validate Access with WhoAmI
Before building any real integration features, validate that:
- The token is valid
- The app user exists in the environment
- The assigned roles are effective
- The Dataverse API endpoint is reachable
The simplest, standard validation call is WhoAmI, which returns identifiers for the calling context.
GET https://<YOURORG>.crmX.dynamics.com/api/data/v9.0/WhoAmI()
Authorization: Bearer <ACCESS_TOKEN>
Accept: application/json
OData-Version: 4.0
OData-MaxVersion: 4.0
If everything is configured correctly, the response will include values such as UserId, BusinessUnitId,
and OrganizationId. At that point, the environment is ready for controlled API operations.
Key Takeaways
- App registration establishes the integration identity in Entra.
- Application user links that identity to Dataverse permissions and roles.
- Token acquisition enables authenticated API calls.
- WhoAmI is the fastest end-to-end test that confirms readiness.