Impersonate another user

Applies to Dynamics 365 (online), version 9.x

Impersonation is used to execute business logic (code) on behalf of another Dynamics 365 Customer Engagement user to provide a desired feature or service using the appropriate role and object-based security of that impersonated user. This is necessary because the Dynamics 365 Web services can be called by various clients and services on behalf of a Dynamics 365 user, for example, in a workflow or custom ISV solution. Impersonation involves two different user accounts: one user account (A) is used when executing code to perform some task on behalf of another user (B).

Required privileges

User account (A) needs the privilege prvActOnBehalfOfAnotherUser, which is included in the Delegate security role.

The actual set of privileges that is used to modify data is the intersection of the privileges that the Delegate role user possesses with that of the user that is being impersonated. In other words, user A is allowed to do something if and only if user A and the impersonated user (B) have the privilege necessary for the action.

Impersonate a user

To impersonate a user, set the CallerId property on an instance of OrganizationServiceProxy before calling the service’s Web methods.

Deployment specific options

Impersonation using a user account in the PrivUserGroup in Active Directory is no longer supported in the on-premises environment. In our ongoing design enhancement of the security protocol, we developed a better and more secure impersonation method. The new method calls for using a Dynamics 365 user and a Dynamics 365 security role. With this method, the user’s privileges are managed through Dynamics 365 and activities are logged for the user. Please see the following table for details.

Deployment Type Deployment Type Strategy
Online - Use the special application user described in Build web applications using Server-to-Server (S2S) authentication to control the privileges that the Dynamics 365 user has access to.
- Grant the application user a security role that includes privileges for the tasks this user will perform on behalf of other users and the prvActOnBehalfOfAnotherUser privilege.
On-premises
or
IFD/Claims
Create a new Dynamics 365 user with a security role which includes the prvActOnBehalfOfAnotherUser privilege. Within this security role, also include privileges for the tasks this user account will perform on behalf of other users.

See also

Authenticate Users with Dynamics 365 Web Services
Implement Single Sign-on from an ASPX Webpage or IFRAME
How Role-Based Security Can Be Used to Control Access to Entities In Dynamics 365
Sample: Impersonation using the ActOnBehalfOf privilege