Sonoma Partners Microsoft CRM and Salesforce Blog

Multi-Tenant Server to Server Auth and Granting Access

Today's blog post was written by Matt Dearing, Principal Developer at Sonoma Partners.

Server to Server (S2S) authentication has been a very useful addition to Dynamics CRM online, especially in multi-tenant scenarios. S2S authentication allows an external application to authenticate to Dynamics CRM without consuming a user license and without referencing a user's password. The application leverages the Azure app registration's application id and private key (which do not differ across tenants even in multi-tenant scenarios) to authenticate to any Dynamics CRM Online organization that is in a tenant who has granted it access.

When an Azure AD app registration is configured as multi-tenant, an Azure AD admin from the target tenant must grant access to the app.

If the app is a public facing web application (like an MVC application hosted in Azure), it is very easy to configure multi-tenant authentication and have a place for the admin to browse and grant access, but what if the application doesn't have a public web based UI (e.g. on premises app, Azure function, Azure web job, etc.)? The following URL can be used for target admins to grant access to the app:<CLIENTID>&response_mode=form_post&response_type=code+id_token&scope=openid+profile&prompt=admin_consent

In the URL, replace <CLIENTID> with the Azure AD app registration's application id. This will prompt the target admin to grant access to the app in their tenant. Once they grant access, the Dynamics CRM Application User can be setup in their organization. Then the app can start to authenticate to the target org and make API calls against it. For an ISV this URL could be added as a link in their Dynamics CRM solution's configuration page or added as a link in AppSource that they point their users to when installing the solution. The ISV could also setup a single page that redirects to this link for the sole purpose of granting access, allowing more control if the URL ever changes.


S2S Authentication has made it possible to build multi-tenant apps outside of Dynamics CRM that can connect without a unique username and password per organization. It's great to be able to use this authentication scheme even from non-public, web-facing applications.


Questions? Let us know!

Topics: Microsoft Dynamics 365