Microsoft Dynamics 365
CRMsystem_type: "dynamics365"Secure Dataverse REST API and Dynamics 365 module calls through QuantaSeal with Azure AD OAuth2 credentials sealed in QuantaVault.
Overview#
The Dynamics 365 connector proxies calls to the Microsoft Dataverse Web API and module-specific endpoints (Sales, Customer Service, Field Service). Azure AD OAuth2 client credentials are sealed in QuantaVault and automatically refreshed. All response payloads are returned as HybridCryptoEnvelopes.
https://api.quantaseal.io/api/v2/proxy/outboundAuth header:
X-API-Key: qs_live_...Prerequisites#
- 1An Azure AD App Registration with Dynamics 365 / Dataverse API permissions
- 2Client ID, Client Secret, and Tenant ID from Azure AD
- 3Your Dynamics 365 environment URL (e.g. https://yourorg.crm.dynamics.com)
- 4A QuantaSeal API key
Configuration#
Follow these steps to connect Microsoft Dynamics 365 to QuantaSeal. You can configure integrations via the Admin Console or directly via the API.
- 1
In Azure Portal, register an app and grant it the Dynamics CRM user_impersonation permission.
- 2
Create a client secret and note the Client ID, Client Secret, and Tenant ID.
- 3
Seal credentials: POST /api/v2/vault/seal with credential_type: oauth2_client and values: {client_id, client_secret, tenant_id, environment_url}.
- 4
Create the integration: POST /api/v2/integrations with system_type: dynamics365.
Authentication Types#
Use oauth2_client with client_id, client_secret, and tenant_id. QuantaSeal exchanges these for a bearer token using the Azure AD client_credentials flow and refreshes automatically.
All credential types are sealed in QuantaVault with ML-KEM-768 + AES-256-GCM and wrapped by your tenant AWS KMS CMK before storage. See the Vault API reference for the full list of credential types and seal/unseal endpoints.
Available Operations#
QuantaSeal enforces a default-deny operation policy. Only operations listed in your integration's allowed_operations array will be permitted. Add operations when creating or updating the integration.
| Operation | Description |
|---|---|
query | OData query against any Dataverse entity set. |
create | Create a Dataverse record. |
update | Update a Dataverse record by GUID. |
delete | Delete a Dataverse record. |
associate | Associate two Dataverse records. |
execute_action | Execute a Dataverse action or function. |
Code Example#
Every proxy call returns a HybridCryptoEnvelope - the response is ML-KEM-768 key-encapsulated, AES-256-GCM encrypted, and signed with ML-DSA-65 + HMAC-SHA-512. Verify both signatures before trusting the decrypted payload.
curl -X POST https://api.quantaseal.io/api/v2/proxy/outbound \
-H "X-API-Key: qs_live_your_key_here" \
-H "Content-Type: application/json" \
-d '{
"integration_id": "int_01HZ9X2K4MNPQRD365000001",
"operation": "query",
"payload": {
"entity": "accounts",
"filter": "revenue gt 1000000",
"select": ["name", "revenue", "primarycontactid"],
"top": 20
}
}'
# Response - HybridCryptoEnvelope
{
"success": true,
"encrypted": {
"ciphertext_kem": "<base64 - 1088 bytes ML-KEM-768>",
"ciphertext_data": "<base64 - AES-256-GCM encrypted Dataverse response>",
"nonce": "<base64 - 12 bytes>",
"tenant_id": "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
"algorithm": "ML-KEM-768"
},
"signature": {
"pqc_signature": "<base64 - ~3309 bytes ML-DSA-65>",
"hmac_signature": "<base64 - 64 bytes HMAC-SHA-512>",
"tenant_id": "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
"algorithm": "ML-DSA-65+HMAC-SHA-512"
},
"audit_event_id": "aud_01HZ9XABCDEF"
}client.encryption.decrypt(envelope). Both the ML-DSA-65 signature and the HMAC-SHA-512 signature must pass - QuantaSeal uses a bitwise & check, not short-circuit and.Troubleshooting#
AADSTS70011: Invalid scope
Ensure the Azure AD app has the Dynamics CRM / Dataverse API permission granted with admin consent.
401 - token expired
QuantaSeal refreshes tokens automatically when using oauth2_client. If using bearer_token (static), rotate it in QuantaVault and update the vault entry.