Search This Blog

December 11, 2025

OData Authentication for On-Premises D365FO

Hi Folks, 

Integrating with D365FO via OData is a powerful way to enable external systems to interact with ERP data. While cloud-hosted environments use Azure Active Directory (AAD) for authentication, on-premises deployments require a different approach—primarily relying on Active Directory Federation Services (AD FS). This post walks through the essentials of authenticating OData requests in an on-prem D365FO setup.

OData in D365FO exposes data entities over RESTful endpoints, enabling CRUD operations. In on-prem environments, authentication is handled by AD FS, which issues security tokens based on user credentials. These tokens are then used to authorize access to the OData endpoints.

Below are key component for this entire process, 

  1. AD FS Configuration

ü  AD FS must be properly configured and integrated with D365FO.

ü  The AOS (Application Object Server) uses AD FS metadata to validate tokens.

ü  Ensure the AD FS XML configuration file is accessible to AOS.

  1. Client Application Setup

ü  External apps (e.g., Postman, .NET clients) must be registered in AD FS.

ü  You’ll need:

ü  Client ID (from AD FS or Azure App Registration)

ü  Resource URI (typically the D365FO base URL)

ü  Token Endpoint (AD FS OAuth2 endpoint)

  1. Token Acquisition

ü  Use OAuth2 protocol to acquire a bearer token.

ü  The token request includes:

§  grant_type=password

§  client_id

§  username and password

§  resource (D365FO URL)

ü  AD FS returns a JWT token if credentials are valid.

  1. Calling OData

ü  Include the token in the Authorization header:  Authorization: Bearer <access_token>

ü  Use standard OData URLs like:  https://<your-d365fo-url>/data/Customers 


Lets take an example to authentication via Postman;

  1. Get Token

ü  POST to AD FS token endpoint: https://<adfs-url>/adfs/oauth2/token

ü  Body (x-www-form-urlencoded):

            client_id=<your-client-id>

username=<your-username>

password=<your-password>

grant_type=password

resource=https://<your-d365fo-url>

 

  1. Use Token

ü  Add Authorization: Bearer<token> header to your OData request.

  1. Test Endpoint

ü  GET:  https://<your-d365fo-url>/data/Customers


Please be aware; 

  • Token Expiry: Tokens typically expire after 1 hour. Refresh or reacquire as needed.

  • AD FS Clock Skew: Ensure time sync between AD FS and AOS servers.

  • SSL Certificates: AD FS endpoints must be secured with valid SSL certs.

  • User Permissions: The authenticated user must have access to the data entities.

-Harry Follow us on Facebook to keep in rhythm with us. https:fb.com/theaxapta
By - No comments:
Labels: ,
Subscribe to: Comments (Atom)