Non-interactive users (available in CRM Online only) are defined as the users that “… can access the system but only through the Web service”. That makes them perfect for use as integration accounts. That and a small fact that they do not consume a CRM license (in quantities five or less).

To create non-interactive user in CRM Online:

1. Create new integration security role by copying one of the existing system roles and remove all privileges leaving only the bare minimum.
2. Create new user in O365 administration portal
3. Switch to CRM, wait if you are unlucky for this user to be created in CRM and then assign the integration role to that user
4. Change user’s access mode to Non-interactive
5. Switch to O365 and remove CRM license from that user

The typical administrative Spießrutenlaufen-worthy action is assigning of the system administrator role to the non-interactive accounts which begs the question “Why”? If your integration is only limited to displaying and updating contact data (say, for a self-service portal) then grant exactly that, no less, no more.

If you (as a developer) receive a security error, carefully look what privilege is required and add it to the integration role, no less, no more.

If you are not receiving security errors during development, it means your security role is too broad.

Make this iterative process part of your development lifecycle and in the end (i.e. prior to a release) you will have a very sharp and finely tuned security role, guaranteed.