I am trying to access the Dynamics 365 Online API via a SPA. But I want to use the v2 authorization endpoint. I register my app in AAD and assign permissions for Dynamics CRM (I'm using the preview registration blade which allows me to specify Dynamics). It does not say that Admin consent is required for Dynamics but when I specify the scope in my SPA, I get an error at the consent screen indicating that I need admin consent.
I have successfully used the v1 authorization endpoint in the past so I suspect it is an issue with how I am specifying the scope when I retrieve my access token.
Is there something special needed for this API? Is it not fully implemented yet?
In my scope parameter when I request my access_token, I have tried:
<service guid>/<scope guid>
<service guid>/user_impersonation
https://<tenant>.crm.dynamics.com/user_impersonation
https://crm.dynamics.com/user_impersonation
https://dynamics.com/user_impersonation
The last four indicate admin consent is required. I've tried a few other formats but they error out indicating the format is incorrect or the resource doesn't exist - which I get. But I am confused about the admin consent pieces.
Any guidance appreciated!
Not sure if this helps anyone, but I stumbled onto this thread looking for answers to the correct scope to use to access the Dynamics 365 rest api using MSAL in a client application.
I didn't need user_impersonation as I just wanted to access it as the application user. The scope that worked for me is: "https://{organization}.api.crm3.dynamics.com//.default"
Source: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#client-credentials-grant-flow-and-default