Run D365 WebAPI’s from PostMan Without creating an Azure AD application !

A lot of functionality lies in WebApi’s but if you are like me who shied away by looking at the docs.microsoft.com method then the below article might give you an other way to access a plethora of new features !

So let us start with what Microsoft wants us to use – in order to call these WebAPI’s you would need to have a form of Authorization, this is achieved by registering an Azure app more about this can be found at – MSDOC but this shows are really complex way to do the same thing which is spoke about at a Blog written by Dynamic Consultants Group https://dynamicconsultantsgroup.com/blogs/dynamics-365-webapi-calls-and-flow/

Although the above seems easier but it still is quite a task I would say..

So while trying to find other ways to create an Authorization token I came across something which might save someone some time in future, using this method you do not need to create an application in Azure !

Steps :

  1. Login to CRM as your user and open the development console, make sure you have a higher level system Role to get access to all entities
  2. Filter down to Fetch/XHR requests, and find a request that either uses a Get or post method to CRM ( you would find ample of these )
  3. Copy the cookie value highlighted below

Now that we have our cookie values stored in our clipboard navigate to PostMan or any other tool to call HTTP requests and add the necessary header, in our example we will be using something from MS Docs

Our API for the demo is –

POST [Organization URI]/api/data/v9.0/accounts HTTP/1.1
Content-Type: application/json; charset=utf-8
OData-MaxVersion: 4.0
OData-Version: 4.0
Accept: application/json

{
“name”: “Sample Account”,
“creditonhold”: false,
“address1_latitude”: 47.639583,
“description”: “This is the description of the sample account”,
“revenue”: 5000000,
“accountcategorycode”: 1
}

However In our header we are NOT going to use any Authorization key ! Instead we will make use of Cookie –

And Voila that works !!! So now you can run your API’s without a bearer token, however, keep in mind the cookie token does die out after a while.

In case you like this content please do put a like on the Linkedin Post !!

I hope this helps !!! 😀

Ps. The Above article was published after taking approval from Microsoft Security Research Center (MSRC )

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create your website with WordPress.com
Get started
%d bloggers like this: