问题描述

我有一个在线托管的Dynamics 365 v9组织.我在与我的Dynamics组织不同的租户上的Azure Function应用中托管了一组Azure Functions.

I have a Dynamics 365 v9 organisation hosted online. I have a set of Azure Functions hosted in an Azure Function App on a different tenant to my Dynamics organisation.

我已经创建了网络挂钩使用Dynamics插件注册工具，该工具在某些事件(例如在Dynamics中创建联系人时)会通过其端点URL将数据发布到我的Azure Functions.

I've created web hooks using the Dynamics Plugin Registration Tool, which at certain events (such as when a Contact is created in Dynamics), POST data to my Azure Functions via their endpoint URLs.

通过在HTTP请求的身份验证HttpHeader中传递x-functions-key值来实现Dynamics 365和我的Azure功能之间的身份验证.

Authentication between Dynamics 365 and my Azure Functions is achieved by passing an x-functions-key value in the HTTP request's authentication HttpHeader.

Azure函数以 RemoteExecutionContext ，我可以使用以下代码读取该信息:

The Azure Functions receive data from the event in Dynamics in the form of a RemoteExecutionContext which I can read using the following code:

using System.Net;

public static async Task<HttpResponseMessage> Run(HttpRequestMessage req, TraceWriter log)
{
    var jsonContent = await req.Content.ReadAsStringAsync();

    log.Info(jsonContent);

    return req.CreateResponse(HttpStatusCode.OK);
}

问题

然后，Azure功能如何向调用Dynamics 365的组织进行身份验证以读取和写入数据?

Question

How can the Azure Function then authenticate back with the calling Dynamics 365 organisation to read and write data?

1. Xrm工具

最简单的身份验证方法是使用 CrmServiceClient .但是，我不一定要提供CrmServiceClient的构造函数的用户名和密码.也许可以通过HTTP POST请求安全地传递凭据?

The simplest way to authenticate would be to use the CrmServiceClient from Microsoft.Xrm.Tooling.Connector.dll. However, I don't necessarily have a username and password to provide the CrmServiceClient's constructor. Perhaps credentials could be passed securely via the HTTP POST request?

1. 应用程序用户

我尝试在Dynamics中注册应用程序用户.我向我的Azure Functions提供了客户端ID和客户端密钥，但是身份验证失败，因为用户与我的Azure Functions位于不同的租户中.

I've tried registering an Application User in Dynamics. I supply the client id and client secret to my Azure Functions, but authentication fails because the user is in a different tenant to my Azure Functions.

接收到的jsonContent字符串中的一个对象称为ParentContext.也许可以将其重新用于向调用Dynamics的组织进行身份验证.

One object of the received jsonContent string is called ParentContext . Perhaps this can be reused to authenticate back with the calling Dynamics organisation.

Marc Schweigert建议使用S2S，并向他的 AzureFunctionApp 存储库.如果可以采用这种方法，我将在此处发布解决方案.

Marc Schweigert has recommended using S2S and has provided a sample to his AzureFunctionApp repository. If I can get this approach to work I'll post the solution here.

推荐答案

我不会想到您可以明智地使用真实"用户凭据连接到CRM.

I wouldn't have thought you can sensibly use the 'real' users credentials to connect to CRM.

我将使用服务帐户重新连接到CRM.创建一个新的CRM用户，尤其是为此目的的用户，如果您使用户成为非交互用户，则不应使用许可证.然后，您可以使用该服务帐户的凭据使用CrmServiceClient连接到CRM.或者查看服务器到服务器身份验证.

I would use a service account to connect back into CRM. Create a new CRMuser especially for this purpose, if you make the user non-interactive you shouldn't consume a license. You can then use the credentials of that service account to connect to CRM using CrmServiceClient. Alternatively have a look at Server to Server authentication.

如果您可以将用户ID传递到Function App，则可以使用服务帐户通过CRM网络服务假冒真实"用户.

If you are able to deliver a user id to your Function App, you use the service account to impersonate 'real' users via the CRM web services.

这篇关于通过Azure功能通过Dynamics 365进行身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！