Prerequisites

The Microsoft Dynamics 365 Business Central Online SaaS connector supports OAuth 2.0 authentication with the following grant types:

• Client Credentials

• JWT Certificate Credentials

• Refresh Token/ Auth Code

The following sections describe the configuration that must be performed for each grant type.

Registering an Application on Microsoft Entra ID

Perform the following:

1. User can use any of the following Azure Management Portal to perform the configuration:

   • Microsoft Azure

   • Entra ID Admin Center

2. Select Entra ID in the left pane.

3. Select App registrations.

4. Select New registration.

5. On the Register an application page, in the Name field, enter the name of the application that you want to set up.

6. Set the Redirect URI to https://businesscentral.dynamics.com/OAuthLanding.htm.

7. Select Register. An Application is created.

   On the Application page the Application ID (Client ID) and Tenant ID are displayed.

8. On the left-hand panel, select Certificates & secrets. On the Certificates & secrets page, in the Client secrets section, select New client secret.

9. On Add a client secret page, enter the Description to generate a secret, select the validity duration in the Expires list. Select Add.

10. Note the value of the client secret that you have just created.

Client Credentials

For the default Client Credentials grant type based authentication, following are the required configurations:

• Obtain Tenant ID, Client ID, Client Secret from Entra ID by registering the application (steps mentioned in Registering an Application on Microsoft Entra ID).

JWT Certificate Credentials

JWT Certificate Credentials supports Authentication based on JWT assertion prepared from Certificate and Private Key.

1. Obtain Client ID from Azure Active Directory by registering the application (up to step 7 mentioned in Registering an Application on Microsoft Entra ID).

2. To create a Certificate (self-signed or CA signed) of type X.509, the Private Key must be encrypted with the RSA algorithm and registered at the Entra ID portal. Complete the following steps to register the certificate with the Microsoft identity platform:

   1. Login to Azure Portal.

   2. Select the client application.

      In the Azure app registration for the client application, select Certificates & secrets.

   3. Select Upload certificate and select the certificate file to upload.

   4. Select Add.

   5. Obtain values for the following configurations:

      • Certificate: Obtain the text file of the same certificate which was uploaded on the Azure portal.

      • Private Key: Obtain the private key text file.

      • Private Key Password

Refresh Token

For refresh token, the delegated permissions on the Entra ID application are used (while Registering an Application on Microsoft Entra ID). For more information on assigning the appropriate permissions to the Business Central, refer to Required Permissions.

Perform the following to obtain the authorization code:

1. Obtain the authorization code using the following sample request URL:

   https://login.microsoftonline.com/<tenantname>.onmicrosoft.com/oauth2/v2.0/authorize?client_id=<cllient_id>&scope=offline_access https://api.businesscentral.dynamics.com/.default&response_type=code&redirect_uri=https://businesscentral.dynamics.com/OAuthLanding.htm&response_mode=query&state=<randomnumber>

   Note
   In the above URL, replace the values of <tenantname>, <cllient_id>, and <randomnumber>.

   • Add the following parameter details:

     Parameter	Description
     client_id	Client ID of the registered application.
     response_type	For authorization code the value must be code.
     redirect_uri	The value of this must be a redirect URI to the URL that was configured while registering the application, that is, https://businesscentral.dynamics.com/OAuthLanding.htm
     response_mode	To get the code in string parameter on your redirect URI, it must be a query.
     scope	offline_access https://api.businesscentral.dynamics.com/.default
     state	This can be any random number. The same value is returned along with the authorization code.

2. The response in the address bar would be displayed as follows:

   https://businesscentral.dynamics.com/OAuthLanding.htm?code=OAQABAAIAAAAm-06blBE1TpVMil8KPQ41U9..&state=1234566&sessio n_state=9557b1f1-0fd8-4e12-a39f-213cfcd12153

   From the above response, copy the code present between code= and &state which is marked in bold.

3. Obtain the Refresh Token as follows using the authorization code obtained in the previous step:

   1. Execute the following POST:

      Request URL: https://login.microsoftonline.com/<tenantname>/oauth2/v2.0/token

      Content-Type: application/x-www-form-urlencoded

      Request body:

      • client_id

      • client_secret

      • grant_type: As you intend to redeem the Auth Code it should be authorization_code

      • code: Authorization code obtained in previous steps

      • redirect_uri: The value of this must be a redirect uri to the url that was configured while registering the application, that is, https://businesscentral.dynamics.com/OAuthLanding.htm

      • scope: Enter offline_access https://api.businesscentral.dynamics.com/.default

   2. Copy Refresh Token from the response.

Creating an Application User on Business Central Online

Perform the following:

1. Open the Microsoft Dynamics 365 Business Central portal.

2. In the Search field, search for Entra ID Application.

3. Select New.

4. Add the Client ID (created in Client Credentials/JWT Certificate Credentials depending on the Grant Type selected).

   Application ID would be the Client ID of the Application registered in Azure Active Directory above.

5. Under User Groups and User Group permissions add permissions in Administrator permissions section and save the application.

   Note
   Client secret to be effectively used with a refresh token (or any token exchange requiring client authentication), the client created in Entra ID should be a confidential client.