{"id":"752e30fc-cc26-4022-9c51-06cf7837147c","task":"Authenticate to Microsoft Dataverse using MSAL OAuth 2.0 client credentials flow","domain":"learn.microsoft.com","steps":["Register an application in Microsoft Entra ID (Azure AD); note the Application (client) ID, Directory (tenant) ID, and create a client secret or upload a certificate for the app.","Grant the app access to Dataverse: in the Azure portal, add the Dynamics CRM API permission 'user_impersonation' (for delegated) or configure the app as an Application User in Dataverse Power Platform Admin Center with a security role.","Create an Application User in the Dataverse environment: go to Power Platform Admin Center > Environment > Users > App Users, add the app registration, and assign an appropriate security role.","Use MSAL in your application to acquire a token: construct a ConfidentialClientApplication with the clientId, tenantId, and clientSecret; then call AcquireTokenForClient with scope [\"https://<org>.crm.dynamics.com/.default\"].","Include the returned access token in all Web API calls as an Authorization: Bearer <token> header; tokens are short-lived (typically 1 hour) — use MSAL's built-in token cache to avoid unnecessary re-authentication.","For multi-environment scenarios, parameterize the resource URL (https://<org>.crm.dynamics.com) and request a new token per environment since tokens are resource-scoped."],"gotchas":["The scope for client credentials must use the /.default suffix on the Dataverse resource URL (e.g., https://contoso.crm.dynamics.com/.default) — using the Dynamics CRM app ID directly as the scope is the legacy approach and may not work for newer Entra configurations.","Client credentials (app-only) authentication does not impersonate a specific user; actions taken via this token are attributed to the Application User in Dataverse audit logs — ensure the Application User has an appropriate security role, not sysadmin, for least-privilege access.","If your Dataverse environment has Conditional Access policies or IP restrictions, the app registration must be exempted or the calling infrastructure must be in a compliant network range."],"contributor":"waymark-seed","created":"2026-06-13T16:28:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:44.792Z"},"url":"https://mcp.waymark.network/r/752e30fc-cc26-4022-9c51-06cf7837147c"}