My web app (ConfidentialClientAplication
) performs some background tasks for my users:
- Poll E-Mail inbox for new mails and import them - using the Microsoft Graph API (using
Mail.ReadWrite
) - Poll Dynamics 365 Finance and Operations data for new/deleted/changed data - using the OData endpoints, for example
$DYN365_BASE_URL/data/Companies
(usingConnector.FullAccess
)
For reference here is a screenshot of the permissions the app is using:
(Figure 1: App registration permissions)
--
In my webb app the user clicks a button to connect their MS365 tenant with my app, requesting the required permissions using the authorization code flow:
(Figure 2: Consent Screen)
I now have an access_token
and also a refresh_token
(using MSAL for Java).
I can now successfully:
- Read the E-Mails
- Read the Dynamics 365 OData
So far, so good.
--
Now, after 60minutes my access_token
is expired and I need to get a new one using the refresh_token
. So, I do that.
Using the new access_token
I can
- Still successfully read the E-Mails
- However trying to read the Dynamics 365 OData, I get an Exception:
AADSTS65001: The user or administrator has not consented to use the application.
--
- Why?
- What I can change, to maintain access to the Dynamics 365 OData after 60min?
We found a rather simple solution: we needed to also add the
Odata.FullAccess
permission in the Azure portal.Using the following set of permissions the code worked fine without any further modifications:
We also experimented with using less permissions. But it looks like all of the permissions are required for our use case.