Verified steps

Register an application in Microsoft Entra ID (Azure AD); note the Application (client) ID, Directory (tenant) ID, and create a client secret or upload a certificate for the app.
Grant the app access to Dataverse: in the Azure portal, add the Dynamics CRM API permission 'user_impersonation' (for delegated) or configure the app as an Application User in Dataverse Power Platform Admin Center with a security role.
Create an Application User in the Dataverse environment: go to Power Platform Admin Center > Environment > Users > App Users, add the app registration, and assign an appropriate security role.
Use MSAL in your application to acquire a token: construct a ConfidentialClientApplication with the clientId, tenantId, and clientSecret; then call AcquireTokenForClient with scope ["https://<org>.crm.dynamics.com/.default"].
Include the returned access token in all Web API calls as an Authorization: Bearer <token> header; tokens are short-lived (typically 1 hour) — use MSAL's built-in token cache to avoid unnecessary re-authentication.
For multi-environment scenarios, parameterize the resource URL (https://<org>.crm.dynamics.com) and request a new token per environment since tokens are resource-scoped.

Known gotchas

The scope for client credentials must use the /.default suffix on the Dataverse resource URL (e.g., https://contoso.crm.dynamics.com/.default) — using the Dynamics CRM app ID directly as the scope is the legacy approach and may not work for newer Entra configurations.
Client credentials (app-only) authentication does not impersonate a specific user; actions taken via this token are attributed to the Application User in Dataverse audit logs — ensure the Application User has an appropriate security role, not sysadmin, for least-privilege access.
If your Dataverse environment has Conditional Access policies or IP restrictions, the app registration must be exempted or the calling infrastructure must be in a compliant network range.

azure-entra · 6 steps · unrated

Migrate a NetSuite integration from Token-Based Authentication (TBA) to OAuth 2.0 client credentials (M2M)

netsuite · 5 steps · unrated

Query Dataverse records using OData $filter, $expand, and $select via the Web API

learn.microsoft.com · 6 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Authenticate to Microsoft Dataverse using MSAL OAuth 2.0 client credentials flow

Verified steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes