Configure a Connection Profile

From the CData ribbon, click Get Data and select From Microsoft Dataverse connection/s to launch the CData Query window. To setup a new connection, you will have to click the New Microsoft Dataverse Connection button. Here you can set the connection settings, test the connection, and save the connection profile.

Schema

Microsoft Dataverse supports two values for the Schema property, System and Entities.

• System: uses the Web API to query entities and tables directly.
• Entities: uses the EntityDefinitions entity set path to retrieve metadata about EntityMetadata entities and tables. This typically provides more user-friendly names, but requires additional metadata requests.

Connecting to Microsoft Dataverse

To authenticate to the Microsoft Dataverse source, begin by setting the OrganizationURL property to the URL of the organization you are connecting to.

For example: https://[organization].crm.dynamics.com.

Entra ID (Azure AD)

Note: Microsoft has rebranded Azure AD as Entra ID. In topics that require the user to interact with the Entra ID Admin site, we use the same names Microsoft does. However, there are still CData connection properties whose names or values reference "Azure AD".

The add-in supports authentication to Microsoft Dataverse through OAuth 2.0, using Entra ID. The specific OAuth behavior depends on the value of the AuthScheme connection property, which determines the authentication flow used.

The following table outlines the relationship between AuthScheme, OAuth grant types, and typical use cases:

AuthScheme	OAuth Grant Type	Use Case
AzureAD	Authorization Code	User login with browser interaction (desktop/web), or on a separate device in headless environments
AzureServicePrincipal	Client Credentials	Application-only access using client secret
AzureServicePrincipalCert	Client Credentials	Application-only access using certificate-based authentication
AzureMSI	Managed Identity	Azure-hosted apps/services using Azure's Managed Identity

Authorization Code Flow for Desktop Applications

This flow is designed for scenarios that require user login through a browser.

CData provides an embedded OAuth application that simplifies OAuth desktop authentication using the Authorization Code grant type. Alternatively, you can create a custom OAuth application. See Creating an Entra ID (Azure AD) Application for information about creating custom applications. The only difference between these two approaches is that custom applications require you to set two additional connection properties during configuration.

After setting the following connection properties, you are ready to connect:

• OAuthClientId: (custom applications only) Set this to the client Id in your application settings.
• OAuthClientSecret: (custom applications only) Set this to the client secret in your application settings.
• CallbackURL: Set this to the Redirect URL in your application settings.

When you connect, the add-in opens the OAuth authorization endpoint in your default browser. Log in and grant permissions to the application.

Client Credentials

Client credentials refers to a flow in OAuth where there is no direct user authentication taking place. Instead, credentials are created for just the app itself. All tasks taken by the application are done without a default user context. This makes the authentication flow a bit different from standard.

Client OAuth Flow

All permissions related to the client oauth flow require admin consent. This means the app embedded with the CData Excel Add-In for Microsoft Dataverse cannot be used in the client oauth flow. You must create your own OAuth app in order to use client credentials. See Creating an Entra ID (Azure AD) Application for more details.

In your App Registration in portal.azure.com, navigate to API Permissions and select the Microsoft Graph permissions. There are two distinct sets of permissions - Delegated and Application permissions. The permissions used during client credential authentication are under Application Permissions. Select the applicable permissions you require for your integration.

You are ready to connect after setting one of the below connection properties groups depending on the authentication type.

1. Client Secret
   • AuthScheme Set this to AzureServicePrincipal.
   • InitiateOAuth: Set this to GETANDREFRESH. You can cuse InitiateOAuth to avoid repeating the OAuth exchange and manually setting the OAuthAccessToken.
   • AzureTenant: Set this to the tenant you wish to connet to.
   • OAuthClientId: Set this to the Client Id in your app settings.
   • OAuthClientSecret: Set this to the Client Secret in your app settings.
2. Certificate
   • AuthScheme Set this to AzureServicePrincipalCert.
   • InitiateOAuth: Set this to GETANDREFRESH. You can use InitiateOAuth to avoid repeating the OAuth exchange and manually setting the OAuthAccessToken.
   • AzureTenant: Set this to the tenant you wish to connect to.
   • OAuthClientId: Set this to the Client Id in your app settings.
   • OAuthJWTCert: Set this to the JWT Certificate store.
   • OAuthJWTCertType: Set this to the type of the certificate store specified by OAuthJWTCert.

Authentication with client credentials will take place automatically like any other connection, except there will be no window opened prompting the user. Because there is no user context, there is no need for a browser popup. Connections will take place and be handled internally.

Azure Service Principal

Note: Microsoft has rebranded Azure AD as Entra ID. In topics that require the user to interact with the Entra ID Admin site, we use the same names Microsoft does. However, there are still CData connection properties whose names or values reference "Azure AD".

Azure Service Principal is role-based application-based authentication. This means that authentication is done per application, rather than per user. All tasks taken on by the application are executed without a default user context, but based on the assigned roles. The application access to the resources is controlled through the assigned roles' permissions.

For information about how to set up Azure Service Principal authentication, see Creating a Service Principal App in Entra ID (AzureAD).

Managed Service Identity (MSI)

If you are running Microsoft Dataverse on an Azure VM and want to automatically obtain Managed Service Identity (MSI) credentials to connect, set AuthScheme to AzureMSI.

User-Managed Identities

To obtain a token for a managed identity, use the OAuthClientId property to specify the managed identity's client_id.

If your VM has multiple user-assigned managed identities, you must also specify OAuthClientId.

Connection Properties

The Connection properties describe the various options that can be used to establish a connection.

Managing Connections

After successfully authenticating to Microsoft Dataverse you will be able to customize the data you are importing. To learn more about this, see Managing Connections.

See Also

• Querying Data: Use the data selection wizard to pull data into a spreadsheet. You can also configure scheduled data refresh here.
• Using the Excel Add-In: Find other ways to interact with Microsoft Dataverse data, such as using the available CData Excel Functions.