Impersonate a User in Dynamics 365 using UCI

Often times when configuring security roles for user groups or when troubleshooting issues for end users, we would need to mimic the security of the user. While this works, it's time consuming and requires manual steps and verification to make sure all the security of our user record matches to that of the end user.

In addition, you would need to coordinate with your system administrator to add your security role back when the configuration/troubleshooting is complete.

This process could be simplified by impersonating the end user without having to meddle with the security roles and appropriate configurations of your own user. Let's look at how we can accomplish this.

The official documentation explains the impersonation process for both the preferred and legacy  approach. In this blog we will look at the Preferred approach. The same could however be applied to the legacy approach.

1. Add the security privilege on your user account to enable Impersonation

We need to make sure our user account has the prvActOnBehalfOfAnotherUser privilege. This is also included in the 'Delegate' security role.

2. Get the Azure AD Object ID of the user

We need to Azure AD Object ID of the end user we are trying to impersonate.This could be retrieved using advanced find and adding this column to the desired user

Azure Active Directory Object Id for system user

Copy the Azure AD Object ID for the user which we will use in the next step. In the example below I have choosen a Test User record

Azure AD Object ID from advanced find

3. Install ModHeader or similar extension in your browser

I'm currently using Chrome and ModHeader extension for this blog but you can choose your preferred extensions which has the ability to add Request headers.

Every operation made in Dynamics 365 in the web client is sent as a HTTP request to perform operations(create, update, retrieve etc.). Extensions like ModHeader inject a request header in the browser before sending it to the server. As explained in the documentation we would need to set the CallerObjectId request header to impersonate the user.

Setting the CallerObjectId header value in ModHeader

Now refresh the page you should see Dynamics 365 in the context of the user you are impersonating. In my example I see below as the Test User I have used does not have any apps configured with his security roles configuration.

Dynamics 365 in the context of an impersonated user

Now after you are done with the troubleshooting/testing the configuration you could disable ModHeader in any of the following ways

  • Remove the CallerObjectID header value
  • Pause the ModHeader extension
  • Disabling/uninstalling the extension until later use.

Hopefully this helps you save time when you had to troubleshoot some user issue or when you are configuring the security roles.