Walkthrough: Register a Dynamics 365 app with Azure Active Directory

Applies to Dynamics 365 for Customer Engagement apps version 9.x

This walkthrough describes how to register an application with Azure Active Directory, which enables a user with Dynamics 365 (online) user account to connect to their Dynamics 365 Online Customer Engagement instance from external client applications using OAuth authentication.


Dynamics 365 also provides you with Server-to-Server (S2S) authentication option to connect to Dynamics 365 Online Customer Engagement instance from external applications and services using the special application user account. S2S authentication is the common way that apps registered on Microsoft AppSource use to access the Dynamics 365 data of their subscribers. More information: Build web applications using Server-to-Server (S2S) authentication.

App registration in Azure Active Directory is typically done by ISVs who want to develop external client applications to read and write data in Customer Engagement. Registering an app in Azure Active Directory provides you with Application ID and Redirect URI values that ISVs can use in their client application's authentication code. When end users use the ISV's application for the first time to connect to their Customer Engagement instance by providing their Customer Engagement credentials, a consent form is presented to the end user. After consenting to use their Customer Engagement account with the ISV's application, end users can connect to Customer Engagement instance from external application. The consent form is not displayed again to other users after the first user who has already consented to use the ISV's app. Apps registered in Azure Active Directory are multi-tenant, which implies that other Customer Engagement users from other tenant can connect to their instance using the ISV's app.

App registration can also be done by an application developer or individual user who is building a client application to connect to and read/write data in Customer Engagement. Use the Application ID and Redirect URI values from your registered app in your client application's authentication code to be able to connect to Customer Engagement instance from your client application, and perform the required operations. Note that if the app is registered in the same tenant as your Customer Engagement instance, you won't be presented with a consent form when connecting from your client application to your Customer Engagement instance.


  • The user who is registering the application must have a Dynamics 365 (online) user account with System Administrator security role and the global administrator role for the Office 365 subscription.

  • An Azure subscription for application registration. A trial account will also work.

How to: Register an application with Microsoft Azure Active Directory

  1. Sign in to the Azure management portal by using an account with administrator permission. You must use an account in the same Office 365 subscription (tenant) as you intend to register the app with.

    You can also access the Azure management portal through the Office 365 Admin center by expanding the Admin centers item in the left navigation pane, and selecting Azure AD.


    If you don’t have an Azure tenant (account) or you do have one but your Office 365 subscription with Dynamics 365 (online) is not available in your Azure subscription, following the instructions in the topic Set up Azure Active Directory access for your Developer Site to associate the two accounts.

    If you don’t have an account, you can sign up for one by using a credit card. However, the account is free for application registration and your credit card won’t be charged if you only follow the procedures called out in this topic to register one or more apps. More information: Active Directory Pricing Details

  2. In the Azure management portal, follow the steps as described in the Adding an application section in the Azure Active Directory developers guide to create an app.

  3. On creating an app in Azure Active Directory, a unique Application ID (previously called Client ID) is generated for your application, and the newly registered app appears on the registered apps page. Click the app to open the app information page.

  4. On the app information page, hover over Application ID (previously called Client ID) value, and select the Click to copy icon to copy the value as you’ll need to specify this in your application’s authentication code or app.config file where appropriate.

    Copy application ID

  5. Select Settings in the app info page, and use the Redirect URIs option on the Settings page to copy the redirect URI value for your app. You can also change and add additional URIs if required. For an app of Web app / API application type, you will see Reply URLs option instead of the Redirect URIs option.

  6. On the Settings page, select Required permissions > Add to add permissions for the registered app.

    Add app permission

  7. On the Add API access page:

    • Select Select an API > Dynamics CRM Online, and then click Select.

      Add app permission

    • Select Select permissions > Access CRM Online as organization users, and then click Select.

      Add delegated permission

    • Select Done to add the delegated permission to the registered app.

This completes the registration of your application in Azure Active Directory.

See also

Application registration in Azure Active Directory
Authenticate Users with Dynamics 365 Web Services