从 Azure 函数使用 Dynamics 365 进行身份验证 [英] Authenticate with Dynamics 365 from an Azure Function
问题描述
我有一个在线托管的 Dynamics 365 v9 组织.我在我的 Dynamics 组织的不同租户的 Azure Function App 中托管了一组 Azure Functions.
I have a Dynamics 365 v9 organisation hosted online. I have a set of Azure Functions hosted in an Azure Function App on a different tenant to my Dynamics organisation.
我创建了 网络挂钩 使用 Dynamics 插件注册工具,该工具在某些事件(例如在 Dynamics 中创建联系人时)通过其端点 URL 将数据发布到我的 Azure Functions.
I've created web hooks using the Dynamics Plugin Registration Tool, which at certain events (such as when a Contact is created in Dynamics), POST data to my Azure Functions via their endpoint URLs.
Dynamics 365 和我的 Azure Functions 之间的身份验证是通过在 HTTP 请求的身份验证 HttpHeader 中传递 x-functions-key 值来实现的.
Authentication between Dynamics 365 and my Azure Functions is achieved by passing an x-functions-key value in the HTTP request's authentication HttpHeader.
Azure Functions 以 RemoteExecutionContext 我可以使用以下代码阅读:
The Azure Functions receive data from the event in Dynamics in the form of a RemoteExecutionContext which I can read using the following code:
using System.Net;
public static async Task<HttpResponseMessage> Run(HttpRequestMessage req, TraceWriter log)
{
var jsonContent = await req.Content.ReadAsStringAsync();
log.Info(jsonContent);
return req.CreateResponse(HttpStatusCode.OK);
}
问题
然后,Azure 函数如何通过调用 Dynamics 365 组织进行身份验证以读取和写入数据?
Question
How can the Azure Function then authenticate back with the calling Dynamics 365 organisation to read and write data?
- Xrm 工具
最简单的身份验证方法是使用 CrmServiceClient.但是,我不一定有用户名和密码来提供 CrmServiceClient 的构造函数.也许可以通过 HTTP POST 请求安全地传递凭据?
The simplest way to authenticate would be to use the CrmServiceClient from Microsoft.Xrm.Tooling.Connector.dll. However, I don't necessarily have a username and password to provide the CrmServiceClient's constructor. Perhaps credentials could be passed securely via the HTTP POST request?
- 应用用户
我已尝试在 Dynamics 中注册应用程序用户.我将客户端 ID 和客户端密码提供给我的 Azure Functions,但身份验证失败,因为用户与我的 Azure Functions 位于不同的租户中.
I've tried registering an Application User in Dynamics. I supply the client id and client secret to my Azure Functions, but authentication fails because the user is in a different tenant to my Azure Functions.
接收到的 jsonContent 字符串的一个对象称为 ParentContext .也许这可以重新用于向调用的 Dynamics 组织进行身份验证.
One object of the received jsonContent string is called ParentContext . Perhaps this can be reused to authenticate back with the calling Dynamics organisation.
Marc Schweigert 推荐使用 S2S,并为他的 提供了一个示例AzureFunctionApp 存储库.如果我能让这种方法发挥作用,我会在此处发布解决方案.
Marc Schweigert has recommended using S2S and has provided a sample to his AzureFunctionApp repository. If I can get this approach to work I'll post the solution here.
推荐答案
我没想到您可以明智地使用真实"用户凭据连接到 CRM.
I wouldn't have thought you can sensibly use the 'real' users credentials to connect to CRM.
我会使用服务帐户重新连接到 CRM.创建新的 CRM用户特别是为此目的,如果您使用户非交互式,则不应使用许可证.然后,您可以使用该服务帐户的凭据通过 CrmServiceClient 连接到 CRM.或者查看服务器到服务器身份验证.
I would use a service account to connect back into CRM. Create a new CRM
user especially for this purpose, if you make the user non-interactive you shouldn't consume a license. You can then use the credentials of that service account to connect to CRM using CrmServiceClient. Alternatively have a look at Server to Server authentication.
如果您能够向您的 Function App 提供用户 ID,则可以使用服务帐户 通过 CRM 网络服务模拟真实"用户.
If you are able to deliver a user id to your Function App, you use the service account to impersonate 'real' users via the CRM web services.
要模拟用户,请在以下实例上设置 CallerId 属性调用服务的 Web 方法之前的 OrganizationServiceProxy.
To impersonate a user, set the CallerId property on an instance of OrganizationServiceProxy before calling the service’s Web methods.
这篇关于从 Azure 函数使用 Dynamics 365 进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
