Search code examples
c#azure-active-directorydynamics-crmmicrosoft-dynamics

"You can't sign in here with a personal account. Use your work or school account instead" when trying to access Dynamics CRM api

I already tried the following: .I set the Supported account types: All Microsoft account users .In the Manifest file I changed :

"allowPublicClient": true,
"signInAudience": "AzureADandPersonalMicrosoftAccount",

.I granted admin consent about permissions and consent

Im following the code I found in documentation


            #region Authentication

            var authBuilder = PublicClientApplicationBuilder.Create(clientId)
                             .WithAuthority(AadAuthorityAudience.AzureAdMultipleOrgs)
                             .WithRedirectUri(redirectUri)
                             .Build();
            var scope = resource + "/.default";
            string[] scopes = { scope };

            AuthenticationResult token =
                authBuilder.AcquireTokenInteractive(scopes).ExecuteAsync().Result;
            #endregion Authentication
Solution

  • I created an Azure AD Multi-Tenant Application (Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts):

    enter image description here

    Granted Dynamic CRM API permission:

    enter image description here

    For sample, I used the below endpoint to authorize users:

    https://login.microsoftonline.com/common/oauth2/v2.0/authorize? 
client_id=ClientID
&response_type=code  
&redirect_uri=https://jwt.ms
&response_mode=query  
&scope=https://admin.services.crm.dynamics.com/user_impersonation
&state=12345

    And I got the same error while trying to sign-in with Personal account:

    enter image description here

    Note that: Dynamics CRM API is used in a business or enterprise context, where must have work or school accounts that are associated with an Azure AD tenant.

    • Microsoft accounts created for personal use are normally not linked to an Azure AD tenant.
    • They lack the same level of security and control as accounts from work or school as a result, Personal Microsoft Accounts cannot access enterprise or company tools like Dynamics CRM.
    • Hence, Dynamics CRM allows access to work or school accounts to prevent unauthorized access and protect sensitive data.

    I tried to sign-in with Work Account, and is successfully signed-in :

    enter image description here

    enter image description here

    I am able to generate access token successfully using below parameters via Postman:

    https://login.microsoftonline.com/common/oauth2/v2.0/token

client_id:ClientID
grant_type:authorization_code
scope:https://admin.services.crm.dynamics.com/user_impersonation
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret

    enter image description here

    enter image description here