JDBC Driver for Microsoft Dataverse

Build 25.0.9434

Establishing a Connection

Creating a JDBC Data Source

You can create a JDBC data source to connect from your Java application. Creating a JDBC data source based on the CData JDBC Driver for Microsoft Dataverse consists of three basic steps:

  1. Add the driver JAR file to the classpath. The JAR file is located in the lib subfolder of the installation directory. Note that the .lic file must be located in the same folder as the JAR file.
  2. Provide the driver class. For example: 
    cdata.jdbc.cds.CDSDriver
  3. Provide the JDBC URL. For example: 
    jdbc:cds:InitiateOAuth=GETANDREFRESH;OrganizationUrl=https://myaccount.crm.dynamics.com/;

or

jdbc:cdata:cds:InitiateOAuth=GETANDREFRESH;OrganizationUrl=https://myaccount.crm.dynamics.com/;

    You can use the second format above whenever there is a conflict in your application between drivers using the same URL format to ensure you are using the CData driver. The URL must start with either "jdbc:cds:" or "jdbc:cdata:cds:" and can include any of the connection properties in name-value pairs separated with semicolons.

Schema

Microsoft Dataverse supports two values for the Schema property, System and Entities.

  • System: uses the Web API to query entities and tables directly.
  • Entities: uses the EntityDefinitions entity set path to retrieve metadata about EntityMetadata entities and tables. This typically provides more user-friendly names, but requires additional metadata requests.

Connecting to Microsoft Dataverse

To authenticate to the Microsoft Dataverse source, begin by setting the OrganizationURL property to the URL of the organization you are connecting to.

For example: https://[organization].crm.dynamics.com.

Entra ID (Azure AD)

Note: Microsoft has rebranded Azure AD as Entra ID. In topics that require the user to interact with the Entra ID Admin site, we use the same names Microsoft does. However, there are still CData connection properties whose names or values reference "Azure AD".

The driver supports authentication to Microsoft Dataverse through OAuth 2.0, using Entra ID. The specific OAuth behavior depends on the value of the AuthScheme connection property, which determines the authentication flow used.

The following table outlines the relationship between AuthScheme, OAuth grant types, and typical use cases:

AuthScheme OAuth Grant Type Use Case
AzureAD Authorization Code User login with browser interaction (desktop/web), or on a separate device in headless environments
AzureServicePrincipal Client Credentials Application-only access using client secret
AzureServicePrincipalCert Client Credentials Application-only access using certificate-based authentication
AzureMSI Managed Identity Azure-hosted apps/services using Azure's Managed Identity

Authorization Code Flow for Desktop Applications

This flow is designed for scenarios that require user login through a browser.

CData provides an embedded OAuth application that simplifies OAuth desktop authentication using the Authorization Code grant type. Alternatively, you can create a custom OAuth application. See Creating an Entra ID (Azure AD) Application for information about creating custom applications. The only difference between these two approaches is that custom applications require you to set two additional connection properties during configuration.

After setting the following connection properties, you are ready to connect:

  • InitiateOAuth: Set this to GETANDREFRESH. You can use this property to avoid repeating the OAuth exchange and manually setting the OAuthAccessToken.
  • OAuthClientId: (custom applications only) Set this to the client Id in your application settings.
  • OAuthClientSecret: (custom applications only) Set this to the client secret in your application settings.
  • CallbackURL: Set this to the Redirect URL in your application settings.

When you connect, the driver opens the OAuth authorization endpoint in your default browser. Log in and grant permissions to the application. The driver then completes the OAuth exchange:

  1. Extracts the access token from the callback URL and uses it to authenticate requests.
  2. Obtains a new access token automatically when the existing one expires.
  3. Saves the token and related OAuth values in OAuthSettingsLocation, so they persist across sessions.

Authorization Code Flow for Web Applications

This flow is designed for scenarios where users authenticate through a browser within a hosted web application.

You need to register a custom OAuth app with Microsoft Dataverse. See Creating an Entra ID (Azure AD) Application. You can then use the driver to get and manage the OAuth token values.

Get an OAuth Access Token

Set one of the following connection property groups, depending on your authentication method:

  1. Client Secret
  2. Certificate

You can then call the following stored procedures to complete the OAuth exchange:

  1. Call the GetOAuthAuthorizationUrl stored procedure. Set the CallbackURL input to the redirect URI you specified in your app settings.
  2. Open the returned URL in a browser. Log in and authorize the application. After authorization, the browser redirects to the callback URL.
  3. Call the GetOAuthAccessToken stored procedure. Set the AuthMode input to WEB, and set the Verifier input to the value of the code parameter in the query string of the callback URL.

To connect to Microsoft Dataverse, set the OAuthAccessToken connection property to the value returned by the stored procedure. When the access token expires, call GetOAuthAccessToken again to obtain a new one.

Authorization Code Flow for Headless Machines

A headless machine is one that does not have a browser interface. Because OAuth requires user interaction in a browser, you must perform the authentication on another machine that has one. After completing the authentication, transfer the credentials to the headless machine.

There are two supported options:

  1. Authenticate on another device and manually copy the verifier code.
  2. Complete authentication on another machine and transfer the saved OAuth settings file.

After completing either option, configure the driver to automatically refresh the access token on the headless machine.

Option 1: Obtain and Exchange a Verifier Code

Use another machine with a browser to generate the OAuth verifier code.

On a device with a browser, choose one of the following methods:

  • Embedded OAuth Application:

    The driver automatically generates and opens the OAuth authorization URL in your default browser. When the browser window appears, sign in with your Microsoft account and grant any requested permissions. After authentication, you are redirected to the callback URL, which includes a verifier code in the query string. Copy the value of the code parameter as this is your verifier code for the OAuthVerifier connection property.

  • Custom OAuth Application: Manually configure the following connection properties:

    Then call the GetOAuthAuthorizationUrl stored procedure with the appropriate CallbackURL. Open the URL returned by the procedure in your browser, log in, and grant permissions to the application. You are redirected to the callback URL, which includes the verifier code in the query string. Copy the value of the code parameter as this is your verifier code.

Next: Exchange the Verifier Code for tokens

On the headless machine, set the following connection properties to exchange the verifier code for access and refresh tokens:

After this exchange completes and the settings file is generated, reconfigure your connection as follows:

  • InitiateOAuth: Set to REFRESH.
  • OAuthClientId: (custom applications only) Set to your registered client ID.
  • OAuthClientSecret: (custom applications only) Set to your registered client secret.
  • OAuthSettingsLocation: Set to the location of the saved settings file. Ensure it is readable and writable by the driver so that tokens can be refreshed automatically.
Option 2: Transfer OAuth Settings

In this method, you complete the full OAuth flow on a browser-enabled machine, then transfer the resulting settings file to the headless machine.

  1. On the browser-enabled machine, set up the connection as described under Desktop Applications.
  2. After authentication, the driver saves the encrypted token values to the file specified by OAuthSettingsLocation. The default filename is OAuthSettings.txt.
  3. Test the connection to confirm the file works as expected, then copy the file to the headless machine.

On the headless machine, configure the connection as follows:

  • InitiateOAuth: Set to REFRESH.
  • OAuthClientId: (custom applications only) Set to your registered client ID.
  • OAuthClientSecret: (custom applications only) Set to your registered client secret.
  • OAuthSettingsLocation: Set to the path of the copied OAuth settings file. Ensure the file grants read/write permissions to the driver.

Client Credentials

Client credentials refers to a flow in OAuth where there is no direct user authentication taking place. Instead, credentials are created for just the app itself. All tasks taken by the application are done without a default user context. This makes the authentication flow a bit different from standard.

Client OAuth Flow

All permissions related to the client oauth flow require admin consent. This means the app embedded with the CData JDBC Driver for Microsoft Dataverse cannot be used in the client oauth flow. You must create your own OAuth app in order to use client credentials. See Creating an Entra ID (Azure AD) Application for more details.

In your App Registration in portal.azure.com, navigate to API Permissions and select the Microsoft Graph permissions. There are two distinct sets of permissions - Delegated and Application permissions. The permissions used during client credential authentication are under Application Permissions. Select the applicable permissions you require for your integration.

You are ready to connect after setting one of the below connection properties groups depending on the authentication type.

  1. Client Secret
  2. Certificate

Authentication with client credentials will take place automatically like any other connection, except there will be no window opened prompting the user. Because there is no user context, there is no need for a browser popup. Connections will take place and be handled internally.

Azure Service Principal

Note: Microsoft has rebranded Azure AD as Entra ID. In topics that require the user to interact with the Entra ID Admin site, we use the same names Microsoft does. However, there are still CData connection properties whose names or values reference "Azure AD".

Azure Service Principal is role-based application-based authentication. This means that authentication is done per application, rather than per user. All tasks taken on by the application are executed without a default user context, but based on the assigned roles. The application access to the resources is controlled through the assigned roles' permissions.

For information about how to set up Azure Service Principal authentication, see Creating a Service Principal App in Entra ID (AzureAD).

Managed Service Identity (MSI)

If you are running Microsoft Dataverse on an Azure VM and want to automatically obtain Managed Service Identity (MSI) credentials to connect, set AuthScheme to AzureMSI.

User-Managed Identities

To obtain a token for a managed identity, use the OAuthClientId property to specify the managed identity's client_id.

If your VM has multiple user-assigned managed identities, you must also specify OAuthClientId.

Copyright (c) 2025 CData Software, Inc. - All rights reserved.
Build 25.0.9434