This guide is for IT and security teams evaluating Bliro's integration with Microsoft Dynamics 365 (CRM). It covers the authentication model, the permissions Bliro requests during consent, how Dynamics environments are selected, and how Bliro enforces tool-level permissions through its AI agents.
Overview
Bliro connects to Microsoft Dynamics 365 using user-delegated OAuth 2.0. Bliro acts on behalf of the signed-in user and cannot perform any action in Dynamics that the user themselves is not permitted to perform. The integration is delivered through Bliro's registered Microsoft Enterprise Application.
Application name: Bliro
Application (client) ID:
f752681c-0e51-4cab-a13b-1134a8477b88Publisher: bliro GmbH (Microsoft verified publisher)
How the Integration Works
When a user connects Microsoft Dynamics in Bliro, the following happens:
Bliro initiates an OAuth 2.0 authorization request against
login.microsoftonline.com.The user signs in with their Microsoft work account and consents to the requested scopes.
Microsoft Entra ID issues an access token and a refresh token bound to the signed-in user.
Bliro uses the access token to call the Dynamics 365 Web API (Dataverse) on behalf of that user.
When the access token expires, Bliro silently refreshes it using the refresh token until the user disconnects or an administrator revokes consent.
All Dynamics requests are scoped to the user's own identity and Dynamics security roles. Bliro never holds an application-level (daemon) credential against your Dynamics environment.
Prerequisites
The user has a valid Microsoft Dynamics 365 license and access to at least one Dynamics environment.
Your Microsoft Entra ID tenant permits users to grant the Bliro Enterprise Application user-delegated permissions. If user consent is restricted in your tenant, a Microsoft Entra administrator must either pre-consent on behalf of the organization or grant the affected user the ability to consent.
The user is signed in to Bliro.
Setup: Connecting Bliro to Microsoft Dynamics
In Bliro, open Integrations and select Microsoft Dynamics.
Click Connect. Bliro redirects you to the Microsoft sign-in page (
login.microsoftonline.com).Pick the Microsoft work account that has access to your Dynamics environment.
Review the Permissions requested screen and click Accept. The requested permissions are listed in detail in the next section.
Bliro redirects you back to the integration page. Select the Dynamics instance Bliro should use (see "Selecting the Dynamics Instance" below).
Configure the Tools & Permissions that Bliro is allowed to use on your behalf.
Requested Permissions (OAuth Scopes)
During consent, Bliro requests exactly the following three scopes for the Dynamics integration. Each is listed below with its purpose and justification.
Scope | Justification |
Microsoft Entra: openid | Standard OpenID Connect scope. Required to identify the user and link the Dynamics connection to the correct Bliro account. |
Microsoft Entra: offline_access | Allows Bliro to obtain a refresh token so it can renew the short-lived Dataverse access token automatically. Without offline_access, the user would need to re-authenticate every time the access token expires (typically every hour), including for post-meeting actions that run after the user has closed the app. This scope does not grant any additional data access on its own. |
Dataverse: user_impersonation | Required to call the Dynamics 365 Web API (Dataverse) on behalf of the signed-in user. This is the scope that lets Bliro read or write CRM records, but always strictly within the user's existing Dynamics security roles, business unit scope, and field-level security. Bliro cannot read or change records the user themselves cannot. |
Selecting the Dynamics Instance
A single Microsoft account can have access to multiple Dynamics environments (for example, a production and a sandbox instance). After connecting, the user is asked which Dynamics instance Bliro should use.
Organizations can pin this choice centrally so that all users in the workspace are routed to the same Dynamics environment, eliminating the risk of a user accidentally pointing Bliro at the wrong instance. Contact your Bliro administrator or [email protected] to configure a centrally-managed default.
Tools and Permissions
Even with the Dataverse scope granted, Bliro does not perform any Dynamics operation by default. Each individual action Bliro can take, for example Read Account, Create Contact, or Update Lead, is modeled as a tool with its own permission level, configured by an organization administrator.
For Microsoft Dynamics, administrators can also create custom tools by selecting any Dynamics object; Bliro then automatically generates the corresponding Read, Create, and Update tools for it.
For a full explanation of the tool model, permission levels, the Ask for Permission flow, and how Bliro enforces denied tools, see AI Tools and Permissions.
Security Considerations
User-delegated only. Bliro never holds an application credential against your Dynamics environment. Every API call is authenticated as the user, and Dynamics applies that user's security roles, business unit scope, and field-level security on each request.
Token storage. Refresh tokens are stored encrypted at rest. Access tokens are short-lived and held only for the duration of an operation.
Auditability in Dynamics. Because Bliro acts as the user, every read and write is attributed to that user in Dynamics audit logs, making activity reviewable through native Dynamics tooling.
Conditional Access. Any Conditional Access policy your tenant applies to Dataverse (MFA, compliant device, named locations, etc.) applies equally to Bliro's calls.
Disconnecting and Revoking Access
Users can disconnect Dynamics at any time from the integration screen in Bliro by clicking Disconnect. This deletes the refresh token from Bliro's side and ends Bliro's ability to call Dynamics on the user's behalf.
In addition, administrators can revoke Bliro's user-delegated permissions tenant-wide at any time via the Microsoft Entra portal under Enterprise applications β Bliro β Permissions, or per-user via https://myapps.microsoft.com.
IT Security Material
For Bliro's broader approach to security and privacy, see our trust center.
Contact and Help
Questions about the Dynamics integration, scope justifications, or central administration? Contact [email protected].