401 on OData call to D365FO

Question

I'm trying to make an OData call to retrieve a D365FO data entity.
https://[root_URL]/data/CostGroups
When logged into D365FO in my browser, this call works.

• I'm working in PHP.
• I've registered my app in Azure Active Directory.
• I've provided my app the https://erp.dynamics.com/Connector.FullAccess API permission.
• I've registered my app in D365FO with a user that has admin privileges (the same user used for the successful browser call).
• I am able to acquire an authentication token.
  • Its "aud" field is "https://erp.dynamics.com"
  • Its "appid" field matches that of the app's Azure AD registration
  • Its "roles" field includes only "Connector.FullAccess"
• I'm using curl in PHP to make the OData GET request. I use the URL listed above and my headers are

curl_setopt($curl, CURLOPT_HTTPHEADER, [
    'Accept: application/json',
    'OData-MaxVersion: 4.0',
    'OData-Version: 4.0',
    'Authorization: Bearer ' . $this->accessToken
]);

Response is "401 Unauthorized"

Does anyone know what's going wrong or how I can find more information about the failure? Is there anywhere in D365FO I can look for logs of my attempts?

Answer 1

The resource seems to be incorrect. It should be the base URL of the instance without the trailing '/'.

Your "aud" field is https://erp.dynamics.com. In this case, it should be your [root URL]. Like this:

Check your resource when you post a request to https://login.microsoftonline.com/[tenant ID]/oauth2/token.