Unable to cache Entra access token in Azure App Service

[s-ryan]

Hi,

I'm a senior developer with Wakefield Council in the north of England.

We have implemented a self service web application portal for Wakefield residents that enables them to raise service requests in our Dynamics 365 CRM. The portal application is hosted in an Azure app service and is registered with our Entra ID instance

We have been intermittently seeing an issue where the following Exception is raised at the point the portal attempts to connect to CRM

'Your app has been throttled by AAD due to too many requests. To avoid this, cache your tokens see https://aka.ms/msal-net-throttling'

we are using the Microsoft.PowerPlatform.Dataverse.Client.ServiceClient to connect.

This is our connection string:

"AuthType=OAuth;Url=[our dynamics instance];Username=[xxxx];Password=[xxxxx];AppId=[xxxx];LoginPrompt=Never;useUniqueInstance=false;TokenCacheStorePath=C:\home\data\jobs\continuous\MyAccountTokenCache\token.dat"

Caching of access tokens is working fine on our development machines and we cannot replicate the throttling issue. The file path and token.dat file are being created automatically at the point we first connect to CRM.

However in our Azure environments the file path isn't being created and the token.dat file isn't being written to. We have manually created the necessary file structure using Kudu but the token.dat file still doesn't get written to. Therefore we are encountering the throttling issue.

Any help that you can give would be greatly appreciated.

Regards

Shaun

[MattB-msft]

@s-ryan In this scenario, you should consider using Applicaiton Users (client id/secret/cert/managed identity) vs a Named User, the auth flow is cleaner and it uses a memory cache system on the host vs file system cache.

Depending on your volume you may want to use asp.net's built in MSAL integration. In that case you would use a custom token provider for Dataverse ServiceClient,

If you want to use Managed identity You can either use the extension we provide for AzAuth, or you can build one up on your own based on MSAL.
You can find a code example of a custom auth provider here: https://github.com/microsoft/PowerPlatform-DataverseServiceClient/blob/master/src/GeneralTools/DataverseClient/Extensions/Microsoft.PowerPlatform.Dataverse.Client.AzAuth/AzAuth.cs

[MattB-msft]

going to close this issue at this time.

[s-ryan]

Hi Matt,

Thank you for your help with this issue. Please accept my apologies for not giving you any kind of feedback - I wasn't quite sure how to respond on Git-Hub and didn't know if an email would reach you personally (though I'm hoping this does).

Anyway, you were a massive help and we appreciate the time you spent giving us a reply.

Regards

Shaun

Shaun Ryan Technology and Digital Transformation - Senior Developer Wakefield Council @.**@.>

Telephone: (01977) 72 7666 Mobile: 7917 599184 Internet: http://www.wakefield.gov.uk/

The Technology and Digital Transformation Service will be respectful, polite, transparent and provide solutions for issues identified within agreed timescales. In return, from our customers, we welcome the same in line with the Council Values.

From: MattB @.> Sent: 24 October 2024 17:37 To: microsoft/PowerPlatform-DataverseServiceClient @.> Cc: Shaun Ryan @.>; Mention @.> Subject: Re: [microsoft/PowerPlatform-DataverseServiceClient] Unable to cache Entra access token in Azure App Service (Issue #471)

Attention! This email originates from outside of Wakefield Council. Do not open attachments or click links unless you are sure this email comes from a known sender and you know the content is safe.

Closed #471https://github.com/microsoft/PowerPlatform-DataverseServiceClient/issues/471 as completed.

- Reply to this email directly, view it on GitHubhttps://github.com/microsoft/PowerPlatform-DataverseServiceClient/issues/471#event-14855112834, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKUUMKSMCJRSIDCLF7UGSN3Z5EO37AVCNFSM6AAAAABPDAPKQ2VHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJUHA2TKMJRGI4DGNA. You are receiving this because you were mentioned.Message ID: @.**@.>> Wakefield Council Spam Filtering is now powered by Microsoft Exchange Online Protection, please use the new buttons in the Outlook ribbon labelled 'Report Phishing Protection' and 'Report Message Protection'. Please see Learning Pathways for further details.