Integration Capabilities with Custom Connectors
Custom connectors in Power Automate enable direct integration with Dynamics 365 Finance & Supply Chain Management (F&SCM) REST API endpoints using OAuth 2.0, opening significant possibilities for process automation outside the standard connector limitations.
A practical example is document archiving integration with our FlexxStore document management add-on for Dynamics 365 Finance & SCM. Using a custom connector, you can automate the following processes:
- Adding documents to your archive while showing them in Dynamics 365
- Scanning documents (Invoices, Packing slips, ..) to Dynamics 365
- Power Apps taking pictures of documents and adding to the archive
- Archiving of e-mails and attachments by forwarding to a monitored mailbox
- Automated document routing based on business rules defined in Power Automate
This integration pattern bypasses traditional limitations of standard connectors by directly communicating with custom service REST API endpoints exposed through D365's Custom Service framework.
OAuth 2.0 Authentication for D365 F&SCM Integration
OAuth 2.0 is the required authentication protocol when connecting Power Automate to D365 F&SCM via custom connectors. It provides a secure authorization framework without exposing credentials across service boundaries.
For D365 F&SCM REST API integration, two OAuth 2.0 grant types are most relevant:
Client Credentials Grant
This grant type is designed for server-to-server authentication without user context:
- Flow: Client application directly requests an access token from the authorization server by presenting its client credentials (ID and secret)
- Authentication scope: Application-level permissions only
- Token issuance: Based solely on the application's identity
- Usage scenario: Background processes, scheduled synchronizations, system-level integrations
Authorization Code Grant
This grant type is designed for delegated user authentication:
- Flow: User authenticates, authorization server issues a temporary code, application exchanges this code for an access token
- Authentication scope: Delegated permissions acting on behalf of the authenticated user
- Token issuance: Based on user identity with consent
- Usage scenario: Interactive processes where user context matters, user-triggered workflows
Grant Type Implications for D365 F&SCM Authorization
The grant type selection directly impacts how authorization is handled within D365 F&SCM:
Client Credentials Implementation
When implementing client credentials flow:
- An Entra ID (formerly Azure AD) application must be registered and granted permissions
- The application must be explicitly registered within D365 F&SCM to authorize non-user operations. Configuration in D365:
- Navigate to System Administration > Setup > Microsoft Entra ID Applications
- Register the application's ID and grant appropriate permissions
- Token does not contain user identity information, only application claims
- Limited to operations that don't require user context
- Operations will be executed in the context of the user assigned to the Entra ID application in D365 F&SCM
Authorization Code Implementation
When implementing authorization code flow:
- No explicit Entra ID application registration required within D365 F&SCM
- The user's identity from the token is used for authorization
- User must exist in D365 F&SCM with appropriate security roles assigned
- Operations will be executed in the context of the authenticated user
- All access control follows standard D365 security role assignments
Power Automate Custom Connector Authentication Challenges
Power Automate's custom connector framework presents specific challenges with OAuth 2.0 implementation:
Grant Type Ambiguity
Power Automate doesn't explicitly indicate which OAuth 2.0 grant type is being used during connector configuration. This ambiguity can lead to confusion during implementation and troubleshooting.
Token Analysis
By examining the token payload obtained during authentication, you can determine the actual grant type:
// Authorization Code grant token (contains user information)
{
"aud": "https://dynamicsinstance.operations.dynamics.com",
"iss": "https://sts.windows.net/tenant-id/",
"iat": 1615983494,
"nbf": 1615983494,
"exp": 1615987394,
"aio": "...",
"amr": ["pwd"],
"appid": "application-id",
"appidacr": "0",
"idp": "https://sts.windows.net/tenant-id/",
"oid": "user-object-id",
"rh": "...",
"sub": "user-subject-id",
"tid": "tenant-id",
"unique_name": "user@domain.com",
"upn": "user@domain.com",
"uti": "...",
"ver": "1.0"
}
The presence of user identifiers like upn, unique_name, and user-specific claims indicates an authorization code grant type.
Authentication Requirements
Based on token analysis, Power Automate custom connectors for D365 F&SCM typically implement the authorization code grant type, which has critical implications:
- The user account used during connection setup must exist in D365 F&SCM
- This user must have appropriate security privileges for all operations the flow will perform
- Connection issues often stem from mismatched user permissions rather than connector configuration problems
- Service principal-only authentication (without user context) is not supported in standard Power Automate custom connector configurations
This constrains scenarios where flows need to operate without specific user context, essentially requiring a service account with appropriate permissions in D365 F&SCM.
Conclusion
When implementing Power Automate integrations with D365 F&SCM custom service endpoints:
- Understand that OAuth 2.0 authorization code grant is the default authentication method
- Ensure the connecting user exists in both Entra ID and D365 F&SCM with proper permissions
- For service-to-service scenarios, use a dedicated service account rather than trying to implement client credentials flow
- Monitor token expiration and implement proper refresh mechanisms to maintain connection stability
By properly configuring authentication, custom connectors provide powerful integration capabilities between Power Automate and D365 F&SCM beyond what standard connectors offer.
