> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Set up a Microsoft Dynamics 365 connector
> C1 provides identity governance and just-in-time provisioning for Microsoft Dynamics 365. Integrate your Microsoft Dynamics 365 instance with C1 to run user access reviews (UARs) and enable just-in-time access requests.
## Capabilities
| Resource | Sync | Provision |
| :------- | :------------------------------------------------------------ | :------------------------------------------------------------ |
| Accounts | | |
| Roles | | |
| Teams | | |
By default, system accounts are not synced. You can configure the connector to sync system accounts if desired.
## Gather Microsoft Dynamics 365 credentials
Configuring the connector requires you to pass in credentials generated in Microsoft Dynamics 365. Gather these credentials before you move on.
A user who is an **Application Administrator** (or similar admin role) in Microsoft Entra ID and a **System Administrator** in Microsoft Dynamics 365 must perform this task.
### Look up your Microsoft Dynamics 365 environment URL
Log into the [Power Platform Admin Center](https://admin.powerplatform.microsoft.com).
On the left side of the screen, click **Manage** > **Environments**.
Click the name of the environment you want to integrate with C1.
On the environment's details page, carefully copy and save the URL of the environment.
### Create a new Entra application
In the Entra ID admin center, navigate to **App registrations**.
Click **+ New registration**.
Give the application a name, such as "C1", and select the supported account type relevant to your Entra installation (typically **Accounts in this organizational directory only (Default Directory only - Single tenant)**). You do not need to set a redirect URL.
Click **Register**.
The new app is created. Carefully copy and save the **Application (client) ID** and the **Directory (tenant) ID** shown on the application summary page.
### Give the new Entra app API permissions
Click **API permissions**.
Click **+ Add permissions** and click the **APIs my organization uses** tab.
Search for "Dataverse".
Click **Application permissions**.
Select **user\_impersonation**. This permission allows your application to access Dataverse as itself (or, conceptually, to "impersonate" a user defined within Dataverse).
Click **Add permissions**.
Navigate to **Identity** > **Applications** > **Enterprise applications** > **All applications**.
Click **Grant admin consent for ...** at the top of the permissions list, and confirm your action.
### Create a client secret
Next, we'll generate a client secret for your app. Navigate to the app and click **Certificates & secrets**.
Click **+ New client secret**.
Give the client secret a description and set its expiration.
Click **Add**.
The client secret is shown in the **VALUE** field. Carefully copy and save the **Secret Value**.
### Create an application user
This step links your Microsoft Entra ID app to your Dataverse environment and assigns it security roles, defining its actual permissions within Dynamics 365.
Sign in to your Dynamics 365 environment.
Click the gear icon in the top right corner and select **Advanced Settings**.
Navigate to **Settings** > **Security** > **Users**.
In the **Users** view, change the view from "Enabled Users" to "Application Users" using the view selector in the command bar.
Click **New** in the command bar.
In the new user form, ensure the form type dropdown at the top is set to **Application User**.
Fill in the Application User's details as follows:
* Application ID: Paste the Application (client) ID you copied from Microsoft Entra ID earlier.
* Full Name: Give it a descriptive name, such as "Dataverse Integration App User".
* Primary Email: You can use a dummy email like `appuser@yourdomain.com` if desired.
* Business Unit: Select your Primary/Root Business Unit. This is crucial. If you're unsure, it's typically the top-level business unit named after your organization (you can find it by navigating to **Power Platform Admin Center** > **Environments** > **\[Your Env]** > **Settings** > **Business Units**).
Click **Save**.
Next, assign Security Roles. Click **Manage Roles** in the command bar at the top.
Assign the relevant security roles. You'll need roles that grant the indicated privileges on the following entities:
To sync (read-only):
| Entity | Permissions |
| ----------------- | ----------- |
| **User** | Read |
| **Team** | Read |
| **Security Role** | Read |
To sync and provision (read-write):
| Entity | Permissions |
| ----------------------------------- | ------------------------------------------------------------- |
| **User** | Read, Append To, Append |
| **Team** | Write, Read, Append, Append To |
| **Security Role** | Read, Assign |
| **Account** | Read, Append To |
| **Action Approval Model** | Read |
| **Activity** | Create, Read, Write, Append, Append To |
| **Approval** | Read |
| **Approval Process** | Create, Read, Write, Delete, Append, Append To, Assign, Share |
| **Approval Request** | Read |
| **Approval Response** | Read |
| **Approval Stage Approval** | Read |
| **Approval Stage Condition** | Read |
| **Approval Stage Order** | Read |
| **Approval Step** | Read |
| **Await All Action Approval Model** | Read |
| **Await All Approval Model** | Read |
| **Basic Approval Model Data** | Read |
| **Connection** | Read |
| **Contact** | Read, Append To |
| **Email Signature** | Read |
| **Flow Approval** | Read |
| **Lead** | Read, Write, Append To, Assign |
| **Mailbox** | Read |
| **Note** | Create, Read, Write, Delete, Append, Append To, Assign, Share |
| **Sales Agent Configuration** | Read |
| **Sales Agent Run** | Create, Read, Write, Delete, Append, Append To, Assign, Share |
| **SalesAgentConfigurationV2** | Read |
| **Sales Agent Profile** | Read, Append To |
| **Sequence** | Read |
| **Sequence Target** | Create, Read, Write, Delete, Append, Append To, Assign, Share |
| **Sequence Target Step** | Create, Read, Write, Delete, Append, Append To, Assign, Share |
| **System Job** | Read |
| **Queue** | Read |
We recommend creating a custom security role with only the specific permissions needed for these entities at the "Organization" level.
Click **OK**.
**Done.** Next, move on to the connector configuration instructions.
## Configure the Microsoft Dynamics 365 connector
To complete this task, you'll need:
* The **Connector Administrator** or **Super Administrator** role in C1
* Access to the set of Microsoft Dynamics 365 credentials generated by following the instructions above
**Follow these instructions to use a built-in, no-code connector hosted by C1.**
In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
Search for **Microsoft Dynamics 365** and click **Add**.
Choose how to set up the new Microsoft Dynamics 365 connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
Find the **Settings** area of the page and click **Edit**.
Enter the Microsoft Dynamics 365 credentials into the relevant fields.
**Optional.** Click the box to **Include system accounts** in the information the connector syncs.
Click **Save**.
The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
**Done.** Your Microsoft Dynamics 365 connector is now pulling access data into C1.
\*\*Follow these instructions to use the Microsoft Dynamics 365 connector, hosted and run in your own environment. \*\*
When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.
### Resources
[Contact C1's support team](mailto:support@c1.ai) to download the latest version of the connector.
### Step 1: Set up a new Microsoft Dynamics 365 connector
In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
Search for **Baton** and click **Add**.
Choose how to set up the new Microsoft Dynamics 365 connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
In the **Settings** area of the page, click **Edit**.
Click **Rotate** to generate a new Client ID and Secret.
Carefully copy and save these credentials. We'll use them in Step 2.
### Step 2: Create Kubernetes configuration files
Create two Kubernetes manifest files for your Microsoft Dynamics 365 connector deployment:
#### Secrets configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-microsoft-dynamics-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: baton-microsoft-dynamics-secrets
type: Opaque
stringData:
# C1 credentials
BATON_CLIENT_ID:
BATON_CLIENT_SECRET:
# Microsoft Dynamics 365-specific credentials
BATON_ENVIRONMENT_URL:
BATON_DYNAMICS_CLIENT_ID:
BATON_DYNAMICS_CLIENT_SECRET:
# Optional: include if you want C1 to provision access using this connector
BATON_PROVISIONING: true
# Optional: include if you want C1 to sync system accounts
BATON_INCLUDE_SYSTEM_ACCOUNTS: true
```
See the connector's README or run `--help` to see all available configuration flags and environment variables.
#### Deployment configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-microsoft-dynamics.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: baton-microsoft-dynamics
labels:
app: baton-microsoft-dynamics
spec:
selector:
matchLabels:
app: baton-microsoft-dynamics
template:
metadata:
labels:
app: baton-microsoft-dynamics
baton: true
baton-app: microsoft-dynamics
spec:
containers:
- name: baton-microsoft-dynamics
image: ghcr.io/conductorone/baton-microsoft-dynamics:latest
imagePullPolicy: IfNotPresent
env:
- name: BATON_HOST_ID
value: baton-microsoft-dynamics
envFrom:
- secretRef:
name: baton-microsoft-dynamics-secrets
```
### Step 3: Deploy the connector
Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the Microsoft Dynamics 365 connector to. Microsoft Dynamics 365 data should be found on the **Entitlements** and **Accounts** tabs.
**Done.** Your Microsoft Dynamics 365 connector is now pulling access data into C1.