Events
Power BI DataViz World Championships
Feb 14, 4 PM - Mar 31, 4 PM
With 4 chances to enter, you could win a conference package and make it to the LIVE Grand Finale in Las Vegas
Learn moreDatabase movement API - Authentication
This article provides an overview of the Microsoft Entra setup for calling Lifecycle Services APIs including Database Movement API. To access resources available via API, you must get a bearer token from Microsoft Entra and send it as a header along with each request. The steps to obtain this token are below.
The following steps are required to obtain a bearer token with the correct permissions:
- Create an application registration in your Microsoft Entra tenant
- Configure API permissions
- Configure public client
- Request an access token
Navigate to the Microsoft Entra app registration page and create a new registration. Give the application a name and ensure the Single tenant option is selected. You can skip the redirect URI setup.
Within your new app registration, navigate to the Manage - API Permissions tab. Under the Configure permissions section, select Add a Permission. On the dialog window that opens, select the APIs my organization uses tab, and then search for Dynamics Lifecycle services. You might see several entries with a name similar to this, so be sure you use the one with the GUID, 913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0.
Note
These APIs make use of delegated permissions only at this time. For applications that run with a user context, you request delegated permissions using the scope parameter of user_impersonation. These permissions delegate the privileges of the signed-in user to your application, allowing it to act as the user when calling the API endpoints.
Service Principal authentication, where the application calls the API using its own identity or a managed identity, is not supported.
After the required permissions are added to the application, select Grant admin consent to complete the setup. This is necessary when you want to allow users to access your app right away, instead of requiring an interactive consent experience. If you can support interactive consent, we recommend following the Microsoft identity platform and OAuth 2.0 authorization code flow.
To begin reading and writing resources on behalf of a user, you will need to enable the Public Client setting. This is the only way that Microsoft Entra ID will accept username and password properties in the body of your token request. Note that if you plan to use this feature, it will not work for accounts that have multi-factor authentication enabled.
To enable, visit the Manage - Authentication tab. Under the Advanced Settings section, set the Public Client switch to Yes.
To request a bearer token for username and password, follow these instructions.
Be sure to read the public client section above. Then, send a POST request via HTTP to Microsoft Entra ID with a username and password payload.
HTTP
Content-Type: application/x-www-form-urlencoded
Host: login.microsoftonline.com
Accept: application/json
POST https://login.microsoftonline.com/YOUR_TENANT.COM/oauth2/v2.0/token
BODY:
client_id={CLIENT_ID_FROM_AZURE_CLIENT_APP}&scope=https://lcsapi.lcs.dynamics.com//.default&username={USER_EMAIL_ADDRESS}&password={PASSWORD}&grant_type=password
The above example contains placeholders that you can retrieve from your client application in Microsoft Entra ID. You'll receive a response that can be used to make subsequent calls to Power Platform API.
JSON
{
"token_type": "Bearer",
"scope": "https://lcsapi.lcs.dynamics.com//user_impersonation https://lcsapi.lcs.dynamics.com//.default",
"expires_in": 4228,
"ext_expires_in": 4228,
"access_token": "eyJ0eXAiOiJKV1Qi..."
}
Use the access_token value in subsequent calls to the Lifecycle Services API or Database Movement API with the Authorization HTTP header.
Note
The scope parameter might require a different URL format if you are in a local instance of Lifecycle Services or a sovereign cloud. For example, if you are accessing the EU instance of LCS, you can use https://lcsapi.eu.lcs.dynamics.com//.default as your scope parameter. This would also apply for subsequent calls to the API for the hostname.
Additional resources
Training
Module
Use service principal authentication in custom connectors - Training
Learn how to use service principal authentication with custom connectors.
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.