Dynamics 365 Impersonate user using browser
In Dynamics 365 online, when we need to peform the tests for the security model, It could be a nightmare since we need to login and logout many times and use many browser with private mode and normal mode. Then I found to ease a lot these test sessions thanks to a chrome Extension named "ModHeader". This article will share how to deal with impersonation using webapi and using Chrome extension.
1/ Impersonate using Web API
First of all, I started to figure out how to impersonate another person, I found a document from Microsoft with impersonate detail for WebAPI. You can find it here.
The main point of above documentation is that your running account must have "
prvActOnBehalfOfAnotherUser" privilege. And in the header of request need to impersonate must have one of these two params:
- CallerObjectId: Azure Active Directory (AAD) object id
- MSCRMCallerID: system user id
However, Microsoft prefers to use CallerObjectId instead of MSCRMCallerID. Therefore, in this article, I will show you only the method for CallerObjectId (Actually, you can do the same for MSCRMCallerID. You can try it by yourself! ;))
2/ Add the security privilege to enable Impersonate
As I mention in the previous section, you need to ensure that your account has "
To enable this privilege, you can open your security role and navigate to tab "Business Management", find "Act on Behalf of Another User" in the last section check enable it
3/ Get Azure AD Object ID of the user:
In Dynamics 365 online, each system user has an "Azure AD Object ID" (azureactivedirectoryobjectid). We need to get user's "Azure AD Object ID" and add it to the header of the request to act on behalf of that user.
The simplest way to get "Azure AD Object ID" is used advanced find and add "Azure AD Object ID" column to the result grid.
You can copy ID and use it in some step behind.
4/ Install ModHeader:
You can find ModHeader extension here or you can open Chrome/Firefox web store and search for ModHeader.
The purpose of this extension is to add some custom params to the header for each request to impersonate.
5/ Use ModHeader:
- You can change the name of profile. I usually use email of the account to identify which user I'm using.
- Name of header param: CallerObjectId
- Value of header param: Azure AD Object ID value
After you finish the setting, you need to refresh the page to see Dynamics 365 in the context of the user you are impersonating.
6/ Stop impersonating:
When you finish troubleshooting the security model, you need to stop impersonating. You have many ways to do it:
- Disable ModHeader extension
- Remove CallerObjectId
- Pause ModHeader extension:
Hope this article will help you save your time when you need to troubleshoot or test security model on Dynamics 365 online!