Forum Discussion
Is it possible to access Dataverse and Microsoft Graph api by single token using AAD auth?
Is it possible to access Dataverse and Microsoft Graph api by single token using AAD auth?
6 Replies
Yes, it is possible to access both Dataverse and Microsoft Graph API using a single token through Azure Active Directory (AAD) authentication. This can be done by configuring the token to have the appropriate scopes or permissions for both resources (Dataverse and Microsoft Graph) under a single Azure AD app registration.
1-You need to register an application in Azure Active Directory (Azure AD)-
Go to Azure Portal > Azure Active Directory > App registrations and create a new app.2-In the app registration, you need to add API permissions for both Dataverse and Microsoft Graph-
For Dataverse (Power Platform/Dynamics 365), you can add permissions for the "Common Data Service" (CDS) or Dataverse, depending on how it’s labeled in the Azure AD UI.
For Microsoft Graph, you need to add the appropriate Graph API permissions, such as User.Read, Mail.Read, Calendar.Read, etc., depending on what you want to access.3-OAuth 2.0 Scopes-
Once you’ve added the necessary permissions, you’ll need to request a token that includes both Dataverse and Microsoft Graph scopes.
In the token request, you’ll specify the scopes for both APIs:
For Microsoft Graph, the scopes may look like https://graph.microsoft.com/.default (or specific permissions like User.Read).
For Dataverse, the scopes may look like https://<contoso>.crm.dynamics.com/.default.4-When requesting the token (using OAuth 2.0, for example), you authenticate against Azure AD, and the resulting token will contain the necessary claims for accessing both Dataverse and Microsoft Graph APIs, provided the correct scopes were included.
5-With the token, you can then make requests to-
Microsoft Graph: Use the token to call Microsoft Graph API endpoints (e.g., https://graph.microsoft.com/v1.0/users).
Dataverse: Use the token to call Dataverse endpoints (e.g., https://<contoso>.crm.dynamics.com/api/data/v9.0).The app must have the correct permissions for both services in Azure AD.
Ensure the scopes for both Microsoft Graph and Dataverse are included when requesting the token.
The single token will allow you to authenticate and access both services without needing separate authentication flows.Hi micheleariis
Actually, If I give scope like that way- scope: 'openid profile email offline_access Mail.Send $orgUrl/user_impersonation', then generated toen working for sending mail but not working for dataverse access. Or If I do this way - 'openid profile email offline_access $orgUrl/user_impersonation Mail.Send ' then it's working for dataverse but not for sending mail.
surigaurav179 Got your case 🙂 Azure AD allows you to use one token for only one resource at a time. To access both Microsoft Graph and Dataverse, you will need to request two separate tokens.
