Dataverse CRUD with a .NET 8 console app: this guide shows how to build a production-ready C# application that performs create, read, update, and delete operations against Microsoft Dataverse using Dependency Injection, DefaultAzureCredential, resilient retries (Polly), and clean configuration. You get copy-pasteable code, least-privilege security guidance, and optional Azure Container Apps + Key Vault deployment via azd/Bicep.
The Problem
You need a reliable way to run Dataverse CRUD from a console app without hardcoded secrets, avoiding static helpers, and ensuring the code is cloud-ready and testable. Many examples skip DI, retries, and security, leading to brittle apps.
Prerequisites
.NET 8 SDK, Azure CLI v2.58+, Azure Developer CLI (azd) v1.9+, Power Platform tooling access to create an Application User in Dataverse mapped to your app's Service Principal or Managed Identity, A Dataverse environment URL (e.g., https://yourorg.crm.dynamics.com)
The Solution (Step-by-Step)
1) Project setup and configuration
Create a new console app and add packages.
// Bash: create project and add packages
dotnet new console -n DataverseCrud.Console --framework net8.0
cd DataverseCrud.Console
dotnet add package Microsoft.PowerPlatform.Dataverse.Client --version 1.1.27
dotnet add package Azure.Identity --version 1.11.3
dotnet add package Polly.Extensions.Http --version 3.0.0
dotnet add package Microsoft.Extensions.Http.Polly --version 8.0.1
Add appsettings.json for configuration (no secrets).
{
"Dataverse": {
"OrganizationUrl": "https://yourorg.crm.dynamics.com",
"ApiVersion": "v9.2",
"DefaultTableLogicalName": "account"
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft": "Warning"
}
}
}
Pro-Tip: Keep ApiVersion configurable so you can upgrade Dataverse API without code changes.
2) Implement the Generic Host with DI, typed options, and retry policies
Program.cs uses file-scoped namespaces, DI, and structured logging via Microsoft.Extensions.Logging. Polly adds resilient retries for transient failures.
using System.Net.Http.Headers;
using Azure.Core;
using Azure.Identity;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using Polly;
using Polly.Extensions.Http;
using Microsoft.PowerPlatform.Dataverse.Client;
namespace DataverseCrud.ConsoleApp;
// Options record for strongly-typed config
public sealed record DataverseOptions(string OrganizationUrl, string ApiVersion, string DefaultTableLogicalName);
// Abstraction for testability
public interface IDataverseRepository
{
// CRUD signatures using basic types for clarity
Task<Guid> CreateAsync(string tableLogicalName, IDictionary<string, object> attributes, CancellationToken ct);
Task<Dictionary<string, object>?> RetrieveAsync(string tableLogicalName, Guid id, string columnsCsv, CancellationToken ct);
Task UpdateAsync(string tableLogicalName, Guid id, IDictionary<string, object> attributes, CancellationToken ct);
Task DeleteAsync(string tableLogicalName, Guid id, CancellationToken ct);
}
// Concrete repository using ServiceClient
public sealed class DataverseRepository(IOptions<DataverseOptions> options, ILogger<DataverseRepository> logger, ServiceClient serviceClient) : IDataverseRepository
{
private readonly DataverseOptions _opt = options.Value;
private readonly ILogger<DataverseRepository> _logger = logger;
private readonly ServiceClient _client = serviceClient;
// Create a row in Dataverse
public async Task<Guid> CreateAsync(string tableLogicalName, IDictionary<string, object> attributes, CancellationToken ct)
{
// Convert to Entity representation
var entity = new Microsoft.Xrm.Sdk.Entity(tableLogicalName);
foreach (var kvp in attributes)
entity.Attributes[kvp.Key] = kvp.Value;
var id = await _client.CreateAsync(entity, ct).ConfigureAwait(false);
_logger.LogInformation("Created {Table} record with Id {Id}", tableLogicalName, id);
return id;
}
// Retrieve a row with selected columns
public async Task<Dictionary<string, object>?> RetrieveAsync(string tableLogicalName, Guid id, string columnsCsv, CancellationToken ct)
{
var columns = new Microsoft.Xrm.Sdk.Query.ColumnSet(columnsCsv.Split(',', StringSplitOptions.TrimEntries | StringSplitOptions.RemoveEmptyEntries));
var entity = await _client.RetrieveAsync(tableLogicalName, id, columns, ct).ConfigureAwait(false);
if (entity == null)
{
_logger.LogWarning("Entity not found: {Table}/{Id}", tableLogicalName, id);
return null;
}
return entity.Attributes.ToDictionary(k => k.Key, v => v.Value);
}
// Update specific attributes
public async Task UpdateAsync(string tableLogicalName, Guid id, IDictionary<string, object> attributes, CancellationToken ct)
{
var entity = new Microsoft.Xrm.Sdk.Entity(tableLogicalName) { Id = id };
foreach (var kvp in attributes)
entity.Attributes[kvp.Key] = kvp.Value;
await _client.UpdateAsync(entity, ct).ConfigureAwait(false);
_logger.LogInformation("Updated {Table} record {Id}", tableLogicalName, id);
}
// Delete a row
public async Task DeleteAsync(string tableLogicalName, Guid id, CancellationToken ct)
{
await _client.DeleteAsync(tableLogicalName, id, ct).ConfigureAwait(false);
_logger.LogInformation("Deleted {Table} record {Id}", tableLogicalName, id);
}
}
public class Program
{
public static async Task Main(string[] args)
{
using var host = Host.CreateApplicationBuilder(args);
// Bind options from configuration
host.Services.AddOptions<DataverseOptions>()
.Bind(host.Configuration.GetSection("Dataverse"))
.ValidateDataAnnotations()
.Validate(opt => !string.IsNullOrWhiteSpace(opt.OrganizationUrl) && !string.IsNullOrWhiteSpace(opt.ApiVersion));
host.Services.AddLogging(builder =>
{
builder.AddSimpleConsole(o =>
{
o.TimestampFormat = "yyyy-MM-dd HH:mm:ss ";
o.SingleLine = true;
});
});
// Configure resilient HTTP with Polly for Dataverse traffic
host.Services.AddHttpClient("dataverse")
.SetHandlerLifetime(TimeSpan.FromMinutes(5))
.AddPolicyHandler(GetRetryPolicy());
// Register ServiceClient using DefaultAzureCredential (prefers Managed Identity in Azure)
host.Services.AddSingleton(sp =>
{
var opts = sp.GetRequiredService<IOptions<DataverseOptions>>().Value;
var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions
{
// In production on Azure Container Apps/VMs, Managed Identity will be used.
// Locally, DeveloperCredential/VisualStudioCredential will be used.
ExcludeManagedIdentityCredential = false
});
var svc = new ServiceClient(new Uri(opts.OrganizationUrl), credential, useUniqueInstance: true, useWebApi: true);
// Configure ServiceClient API version if supported/necessary by environment
svc.SdkVersion = opts.ApiVersion; // Documented: keep version configurable
return svc;
});
host.Services.AddSingleton<IDataverseRepository, DataverseRepository>();
var app = host.Build();
// Execute a CRUD flow
var logger = app.Services.GetRequiredService<ILogger<Program>>();
var repo = app.Services.GetRequiredService<IDataverseRepository>();
var cfg = app.Services.GetRequiredService<IOptions<DataverseOptions>>().Value;
using var cts = new CancellationTokenSource(TimeSpan.FromMinutes(2));
try
{
// 1) Create
var accountId = await repo.CreateAsync(cfg.DefaultTableLogicalName, new Dictionary<string, object>
{
["name"] = "Contoso (Console App)",
["telephone1"] = "+1-425-555-0100"
}, cts.Token);
// 2) Retrieve
var data = await repo.RetrieveAsync(cfg.DefaultTableLogicalName, accountId, "name,telephone1", cts.Token);
logger.LogInformation("Retrieved: {Data}", string.Join("; ", data!.Select(kv => $"{kv.Key}={kv.Value}")));
// 3) Update
await repo.UpdateAsync(cfg.DefaultTableLogicalName, accountId, new Dictionary<string, object>
{
["telephone1"] = "+1-425-555-0101"
}, cts.Token);
// 4) Delete
await repo.DeleteAsync(cfg.DefaultTableLogicalName, accountId, cts.Token);
logger.LogInformation("CRUD flow completed successfully.");
}
catch (Exception ex)
{
logger.LogError(ex, "Failure during CRUD flow");
Environment.ExitCode = 1;
}
await app.StopAsync();
}
// Exponential backoff for transient HTTP 5xx/429 responses
private static IAsyncPolicy<HttpResponseMessage> GetRetryPolicy() =>
HttpPolicyExtensions
.HandleTransientHttpError()
.OrResult(r => (int)r.StatusCode == 429)
.WaitAndRetryAsync(5, retryAttempt => TimeSpan.FromSeconds(Math.Pow(2, retryAttempt)));
}
Pro-Tip: Add structured properties to logs (e.g., table, id) for easier querying in Application Insights.
3) Dataverse authentication without secrets
The ServiceClient uses DefaultAzureCredential, which in Azure will use Managed Identity. In local development, it falls back to developer credentials. You must create an Application User in Dataverse mapped to the Service Principal or Managed Identity and assign the least-privilege Dataverse security role needed for CRUD on targeted tables.
Pro-Tip: Scope Dataverse privileges to only the tables and operations your app requires.
4) Optional: Run in Azure Container Apps with Managed Identity (IaC via azd/Bicep)
If you want to run this console app on a schedule or on-demand in Azure, deploy to Azure Container Apps with a System-Assigned Managed Identity. Use Key Vault to hold non-secret config like OrganizationUrl and ApiVersion for central governance.
// azure.yaml for azd (simplified)
name: dataverse-crud
metadata:
template: dataverse-crud
services:
app:
project: ./
language: dotnet
host: containerapp
docker:
path: ./Dockerfile
context: ./
// main.bicep (simplified): Container App + Key Vault + MI and RBAC
param location string = resourceGroup().location
param appName string = 'dataverse-crud-app'
param kvName string = 'dvcrud-kv-${uniqueString(resourceGroup().id)}'
resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {
name: kvName
location: location
properties: {
tenantId: subscription().tenantId
sku: { family: 'A', name: 'standard' }
accessPolicies: [] // Use RBAC rather than access policies
enableRbacAuthorization: true
}
}
resource caEnv 'Microsoft.App/managedEnvironments@2023-05-01' = {
name: 'dvcrud-env'
location: location
}
resource app 'Microsoft.App/containerApps@2023-05-01' = {
name: appName
location: location
identity: {
type: 'SystemAssigned'
}
properties: {
managedEnvironmentId: caEnv.id
template: {
containers: [
{
name: 'app'
image: 'ghcr.io/yourrepo/dataverse-crud:latest'
env: [
// Pull configuration from Key Vault via secrets or set as plain env if non-secret
{ name: 'Dataverse__OrganizationUrl', value: 'https://yourorg.crm.dynamics.com' },
{ name: 'Dataverse__ApiVersion', value: 'v9.2' },
{ name: 'Dataverse__DefaultTableLogicalName', value: 'account' }
]
}
]
}
}
}
// Grant the Container App's Managed Identity access to Key Vault secrets if used for configuration
resource kvAccess 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(kv.id, 'kv-secrets-user', app.name)
scope: kv
properties: {
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6') // Key Vault Secrets User
principalId: app.identity.principalId
principalType: 'ServicePrincipal'
}
}
Azure RBAC roles used here: Key Vault Secrets User on the vault to read secrets if you store any configuration as secrets. The Container App requires no additional Azure RBAC to call Dataverse; it authenticates via its Managed Identity to Entra ID, and Dataverse access is governed by the Application User and Dataverse security role assignments.
Pro-Tip: Prefer System-Assigned Managed Identity for lifecycle simplicity unless you need identity reuse across apps, in which case use a User-Assigned Managed Identity.
5) Testing and mocking
Abstract your repository behind IDataverseRepository to unit test business logic without hitting Dataverse. For integration tests, use a test environment with a restricted Dataverse security role.
// Example unit test using a fake repository
public sealed class FakeRepo : IDataverseRepository
{
public List<string> Calls { get; } = new();
public Task<Guid> CreateAsync(string t, IDictionary<string, object> a, CancellationToken ct) { Calls.Add("create"); return Task.FromResult(Guid.NewGuid()); }
public Task<Dictionary<string, object>?> RetrieveAsync(string t, Guid id, string cols, CancellationToken ct) { Calls.Add("retrieve"); return Task.FromResult<Dictionary<string, object>?>(new()); }
public Task UpdateAsync(string t, Guid id, IDictionary<string, object> a, CancellationToken ct) { Calls.Add("update"); return Task.CompletedTask; }
public Task DeleteAsync(string t, Guid id, CancellationToken ct) { Calls.Add("delete"); return Task.CompletedTask; }
}
Pro-Tip: Use dependency injection to pass a fake or mock implementation into services that depend on IDataverseRepository.
Best Practices & Security
Authentication and secrets: Use DefaultAzureCredential. Do not embed client secrets or connection strings. In Azure, rely on Managed Identity. Locally, authenticate via developer credentials.
Dataverse permissions: Assign a least-privilege Dataverse security role to the Application User (e.g., CRUD on specific tables only). Avoid granting environment-wide privileges.
Azure RBAC: If using Key Vault, grant only the Key Vault Secrets User role to the app’s Managed Identity. Do not grant Owner or Contributor without justification.
Resilience: The Polly retry policy handles 5xx/429 responses with exponential backoff; tune retry counts/timeouts per SLOs.
Observability: Use Microsoft.Extensions.Logging with structured state for IDs and table names. Forward logs to Application Insights via the built-in provider when running in Azure.
Configuration hygiene: Keep OrganizationUrl, ApiVersion, and default table logical names in configuration. Validate options at startup.
Token reuse: DefaultAzureCredential and underlying token providers cache tokens. Avoid recreating credentials per request; register ServiceClient as a singleton as shown.
Pro-Tip: For read-only operations at scale, prefer the Web API with select columns and server-side paging; avoid retrieving full records when not needed.
Summary
• You built a .NET 8 console app that performs Dataverse CRUD using DI, DefaultAzureCredential, and Polly retries.
• Security is hardened with Managed Identity, least-privilege Dataverse roles, and optional Azure RBAC for Key Vault.
• The solution is production-ready, testable, and configurable, with an optional path to deploy on Azure Container Apps via azd/Bicep.
Next step: map your Managed Identity or app registration to a Dataverse Application User, assign a minimal security role, and run the CRUD flow against your target tables.
