Dataverse-Python-Authentication-Security

# Dataverse SDK for Python — Authentication & Security Patterns

Based on official Microsoft Azure SDK authentication documentation and Dataverse SDK best practices.

1. Authentication Overview

The Dataverse SDK for Python uses Azure Identity credentials for token-based authentication. This approach follows the principle of least privilege and works across local development, cloud deployment, and on-premises environments.

Why Token-Based Authentication?

**Advantages over connection strings**:

- Establishes specific permissions needed by your app (principle of least privilege)

- Credentials are scoped only to intended apps

- With managed identity, no secrets to store or compromise

- Works seamlessly across environments without code changes

---

2. Credential Types & Selection

Interactive Browser Credential (Local Development)

**Use for**: Developer workstations during local development.

from azure.identity import InteractiveBrowserCredential
from PowerPlatform.Dataverse.client import DataverseClient

# Opens browser for authentication
credential = InteractiveBrowserCredential()
client = DataverseClient(
    base_url="https://myorg.crm.dynamics.com",
    credential=credential
)

# First use prompts for sign-in; subsequent calls use cached token
records = client.get("account")

**When to use**:

- ✅ Interactive development and testing

- ✅ Desktop applications with UI

- ❌ Background services or scheduled jobs

---

Default Azure Credential (Recommended for All Environments)

**Use for**: Apps that run in multiple environments (dev → test → production).

from azure.identity import DefaultAzureCredential
from PowerPlatform.Dataverse.client import DataverseClient

# Attempts credentials in this order:
# 1. Environment variables (app service principal)
# 2. Azure CLI credentials (local development)
# 3. Azure PowerShell credentials (local development)
# 4. Managed identity (when running in Azure)
credential = DefaultAzureCredential()

client = DataverseClient(
    base_url="https://myorg.crm.dynamics.com",
    credential=credential
)

records = client.get("account")

**Advantages**:

- Single code path works everywhere

- No environment-specific logic needed

- Automatically detects available credentials

- Preferred for production apps

**Credential chain**:

1. Environment variables (`AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, `AZURE_CLIENT_SECRET`)

2. Visual Studio Code login

3. Azure CLI (`az login`)

4. Azure PowerShell (`Connect-AzAccount`)

5. Managed identity (on Azure VMs, App Service, AKS, etc.)

---

Client Secret Credential (Service Principal)

**Use for**: Unattended authentication (scheduled jobs, scripts, on-premises services).

from azure.identity import ClientSecretCredential
from PowerPlatform.Dataverse.client import DataverseClient
import os

credential = ClientSecretCredential(
    tenant_id=os.environ["AZURE_TENANT_ID"],
    client_id=os.environ["AZURE_CLIENT_ID"],
    client_secret=os.environ["AZURE_CLIENT_SECRET"]
)

client = DataverseClient(
    base_url="https://myorg.crm.dynamics.com",
    credential=credential
)

records = client.get("account")

**Setup steps**:

1. Create app registration in Azure AD

2. Create client secret (keep secure!)

3. Grant Dataverse permissions to the app

4. Store credentials in environment variables or secure vault

**Security concerns**:

- ⚠️ Never hardcode credentials in source code

- ⚠️ Store secrets in Azure Key Vault or environment variables

- ⚠️ Rotate credentials regularly

- ⚠️ Use minimal required permissions

---

Managed Identity Credential (Azure Resources)

**Use for**: Apps hosted in Azure (App Service, Azure Functions, AKS, VMs).

from azure.identity import ManagedIdentityCredential
from PowerPlatform.Dataverse.client import DataverseClient

# No secrets needed - Azure manages identity
credential = ManagedIdentityCredential()

client = DataverseClient(
    base_url="https://myorg.crm.dynamics.com",