Database movement API - Authentication

This topic provides overview information about how to authenticate with the Database Movement application programming interface (API).


To call the Database Movement API, your application must acquire an access token from the Microsoft identity platform. The access token contains information about your application and the permission that it has to call resources in Microsoft Dynamics Lifecycle Services (LCS).

Access token

Access tokens that are issued by the Microsoft identity platform are base64–encoded JavaScript Object Notation (JSON) Web Tokens (JWTs). They contain information (claims) that the Database Movement API and other web APIs that are secured by the Microsoft identity platform use to validate the caller and make sure that the caller has the correct permissions to perform the operation that they are requesting. During calls, you can treat access tokens as opaque. You should always transmit access tokens over a secure channel, such as Transport Layer Security (TLS) and Hypertext Transfer Protocol Secure (HTTPS).

Here is an example of an access token that is issued by the Microsoft identity platform.


To call the Database Movement API, you attach the access token as a bearer token to the authorization header in your HTTP request. Here is an example.

Authorization: Bearer EwAoA8l6BAAU ... 7PqHGsykYj7A0XqHCjbKKgWSkcAg==

Register a new application by using the Azure portal

  1. Sign in to the Microsoft Azure portal by using a work or school account, or a personal Microsoft account.

  2. If your account gives you access to more than one tenant, select your account in the upper-right corner, and set your portal session to the Azure Active Directory (Azure AD) tenant that you want.

  3. In the left pane, select the Azure Active Directory service, and then select App registrations > New registration.

  4. When the Register an application page appears, enter your application's registration information:

    • Name – Enter a meaningful application name that will be shown to users of the app.

    • Supported account types – Select the types of accounts that your app should support.

      Supported account types Description
      Accounts in this organizational directory only Select this option if you're building a line-of-business app. This option isn't available unless you're registering the app in a directory.

      This option is mapped to Azure AD only single-tenant.

      This option is the default option unless you're registering the app outside a directory. In that case, the default option is Azure AD multi-tenant and personal Microsoft accounts.

      Accounts in any organizational directory Select this option to target all business and educational customers.

      This option is mapped to Azure AD only multi-tenant.

      If you registered the app as Azure AD only single-tenant, you can use the Authentication blade to update it to Azure AD only multi-tenant and then back to Azure AD only single-tenant.

      Accounts in any organizational directory and personal Microsoft accounts Select this option to target the widest set of customers.

      This option is mapped to Azure AD multi-tenant and personal Microsoft accounts.

      If you registered the app as Azure AD multi-tenant and personal Microsoft accounts, you can't change this setting in the user interface (UI). Instead, you must use the application manifest editor to change the supported account types.

    • Redirect URI (optional) – Select the type of app that you're building: Web or Public client (mobile & desktop). Then enter the redirect URI (or reply URL) for the app.

      • For web apps, provide the base URL of the app. For example, http://localhost:31544 might be the URL for a web app that runs on your local machine. Users then use this URL to sign in to a web client app.
      • For public client apps, provide the URI that Azure AD uses to return token responses. Enter a value that is specific to your app, such as myapp://auth.

      To see specific examples for web apps or native apps, see the quick start guides from Azure AD.

  5. Under API permissions, select Add a permission. Then, on the APIs my organization uses tab, search for Dynamics Lifecycle services, and add the user_impersonation permission to your app.

  6. Select Register.

Registering a new app in the Azure portal.

Azure AD assigns a unique application ID (client ID) to your app, and you're taken to the Overview page for your app. To add more capabilities to your app, you can select other configuration options, such as options for branding, and for certificates and secrets.