What you can do
- Describe entities: agents can inspect entity metadata when they need to understand your environment’s customizations.
- Query records: agents can run OData queries with
$filter,$select,$orderby,$expand, and$topagainst any entity your security role can read. - Get a single record: agents can fetch one record by GUID.
- Create records: agents can create new records, including lookups bound with
@odata.bind. - Update records: agents can update existing records by GUID.
Before you start
- A Microsoft Entra ID work or school account that has a Dynamics 365 user record in the environment you want to connect, with a security role that grants the entities and operations you intend to use.
- Your Dynamics environment URL. This is the part of your environment’s URL before
.crm.dynamics.com,.crm4.dynamics.com, or your region’s equivalent. For example, if you sign in athttps://contoso.crm.dynamics.com, your environment URL prefix iscontoso. You will enter this when connecting. - For tenants that restrict third-party apps in Microsoft Entra ID, your Entra administrator may need to grant tenant-wide admin consent for Circuit before you can connect. See For IT and security teams below.
Dynamics URLs include a regional location code:
crm (North America), crm2 (South America), crm3 (Canada), crm4 (EMEA), crm5 (APAC), crm6 (Oceania), crm7 (Japan), crm8 (India), crm9 (US Government), and so on. Use the region your environment lives in. Selecting the wrong region is the most common cause of failed connections.Connect Dynamics 365
Open the Dynamics integration in Circuit
In Circuit, open Settings > Integrations and choose Microsoft Dynamics 365.
Enter your environment URL
Enter the prefix of your Dynamics environment URL (for example,
contoso for contoso.crm.dynamics.com). Pick the matching region. To find it, sign in to Dynamics, open Settings > Advanced Settings > Customizations > Developer Resources, and copy the Organization Service URL.Sign in with Microsoft
Click Connect Dynamics. Microsoft opens its sign-in page in a new window. Sign in with the Entra account that has a Dynamics user record in the target environment.
Review and consent to the requested permissions
Microsoft shows a consent screen listing the permissions Circuit requests. Review them (see What Circuit accesses below) and click Accept.If you see a “Need admin approval” message, your tenant requires admin consent. Forward the page to your Entra administrator.
What Circuit accesses
Circuit requests the following delegated scopes, where{org} is your environment URL prefix:
| Scope | Why Circuit needs it |
|---|---|
offline_access | Issue a refresh token so Circuit can keep the connection alive in the background. Without this scope, your session would expire and you would need to reconnect every hour. |
openid, email, profile | Standard OpenID Connect scopes that identify the signed-in user and return their email address and basic profile. Circuit uses these to label your connected account. |
https://{org}.crm.dynamics.com/user_impersonation | The Access Dynamics 365 as organization users delegated permission. It lets Circuit call the Dataverse Web API on your behalf. The permissions you actually have are determined by your Dynamics security role, not by the scope itself. |
The
user_impersonation scope is environment-scoped. A token issued for contoso.crm.dynamics.com cannot read data in fabrikam.crm.dynamics.com. To connect a second Dynamics environment, disconnect first and reconnect against the new environment URL.For IT and security teams
The Dynamics 365 integration authenticates through the same Circuit-published enterprise application in your Microsoft Entra ID tenant as Circuit’s other Microsoft integrations: Microsoft Outlook, OneDrive, and SharePoint. Granting tenant-wide admin consent once covers all of them, but each user still authorizes the specific Dataverse environment they connect. In tenants that require admin approval for third-party applications, the first user to connect will see the consent screen blocked. A Cloud Application Administrator (or higher) must grant tenant-wide consent. The full Entra walkthrough, role requirements, direct admin-consent URL, and how to restrict the app to specific users or groups live in Integration security and admin consent. Beyond Entra consent, what each user can do in Dynamics is governed entirely by their Dynamics security role. Restricting Circuit’s reach is best done at that layer.Disconnect or rotate access
- From Circuit: open Settings > Integrations > Microsoft Dynamics 365 and click Disconnect. Circuit deletes the stored refresh token immediately.
- From Microsoft: at myapps.microsoft.com > Manage your applications, find Circuit and remove its permissions.
- In Dynamics: a Dynamics administrator can disable or remove your Dynamics user record, which immediately blocks API calls regardless of token state.
- Tenant-wide: an Entra administrator can revoke consent for the Circuit enterprise application, invalidating all users’ tokens immediately.
Troubleshooting
"Need admin approval" or "Approval required" on the consent screen
"Need admin approval" or "Approval required" on the consent screen
Your Entra tenant requires tenant-wide admin consent for third-party apps. Ask your Entra administrator to grant consent for Circuit. See Integration security and admin consent.
"AADSTS500011: The resource principal named https://{org}.crm.dynamics.com was not found in the tenant"
"AADSTS500011: The resource principal named https://{org}.crm.dynamics.com was not found in the tenant"
The environment URL you entered does not exist in this tenant, or the signed-in user does not have access to it. Confirm the prefix and the region code (
crm, crm4, and so on), then reconnect.API calls fail with 403 PrivilegeDenied or similar
API calls fail with 403 PrivilegeDenied or similar
Your Dynamics user record exists but its security role does not grant the operation the agent attempted. Ask a Dynamics administrator to adjust the role, or restrict the agent’s instructions to entities your role can access.
Create or update fails with "Lookup property must contain a value"
Create or update fails with "Lookup property must contain a value"
Dynamics requires lookups to be set with
@odata.bind, not as plain GUIDs. The agent’s body should look like {"customerid_account@odata.bind": "/accounts(GUID)"}. Re-run with a correctly bound payload.The integration shows 'Disconnected' after working previously
The integration shows 'Disconnected' after working previously
A refresh token can be invalidated by a password change, an MFA reset, an admin revocation, or a long period of inactivity. Disconnect and reconnect to issue a new token.
Reference
- OAuth flow: Microsoft identity platform, authorization code (v2.0 endpoints)
- Authorize endpoint:
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize - Scopes requested:
offline_access,openid,email,profile,https://{org}.crm.dynamics.com/user_impersonation - Redirect URI:
https://app.circuit.ai/api/dynamics-oauth - Application name shown on consent screen: Circuit
- Microsoft’s own docs: Use OAuth authentication with Microsoft Dataverse, Scopes and permissions in the Microsoft identity platform, Find your environment URL