How To

A How To explains a given scenario or function and provides tips and notes.

How To Create a new App Registration

An external application that want to access Business Central need first its own identity, which is set by registering the application in the Azure portal in the following steps:

Note

Find information on Microsoft Learn about how to register a Microsoft Entra application for authentication to Business Central.

Create the Application in Azure

  1. Sign in to the Azure portal and select the New registration action on the App registrations page.
  2. Enter a Name that is suitable for the application.
  3. Specify who can use this application or access this API by selecting if the application will be single tenant or multitenant.
  4. It depends on the app if you need to specify a Redirect URI.
Note

The most common is that an organization has only one tenant, and if the app should only be used within the organization, you should choose Single tenant. Select Multitenant only if the app should be used across several organizations, or if your organization has set up more than one tenant.

Tip

Copy the Application (client) ID of the registered application. You will need this later when entering it in Business Central. You can find this value on the Overview page.

Note

Find the general guidelines on Microsoft Learn about how to register your application with your Microsoft Entra tenant.

Set up the Required API Permissions

The permissions that must be set on the API Permissions page depends on which app from SmartApps that is set up. SmartApps supports both application permissions and delegated permissions.

Note

Find the latest guidelines on Microsoft Learn about adding permissions in Microsoft Entra ID.

Set up Application Permissions

Allow full access to the Business Central web services APIs as follows:

  1. Select the Add a permission action on the API permissions page.
  2. Select Dynamics 365 Business Central.
  3. Select Application permission.
  4. Grant full access to web services API by selecting the API.ReadWrite.All checkbox.
Important

When API.ReadWrite.All of the Application type is used, it does not mean that the application will be able to unlimited read and write data with all APIs. The actual access to data is limited by the permissions assigned to the application account in Business Central when setting up access in Business Central.

Set up Delegated Permissions

Allow the application full access to Dynamics 365 on your behalf as follows:

  1. Select the Add a permission action on the API permissions page.
  2. Select Dynamics 365 Business Central.
  3. Select Delegated permission
  4. Grant the application full access to Dynamics 365 on your behalf by selecting the Financials.ReadWrite.All checkbox.
Note

When Financials.ReadWrite.All of the Delegated type is used, it does not mean that the application has full access to Dynamics 365 Business Central. The actual access is limited by the permissions assigned to the actual user in Business Central. You don't need to set up access in Business Central for the application as this authentication method uses the permissions assigned to the actual user within Business Central. Find Tip in Grant Admin Consent to see how an Admin Consent URL can be created.

Create a secret

Create a client secret for the registered application as follows:

  1. Select Certificates & secrets > New client secret.
  2. Add a description, select a duration, and select Add.
Note

Find the latest guidelines Microsoft Learn about adding client secrets in Microsoft Entra ID, see Add credentials in the Azure documentation.

Tip

Copy the secret's value and save it until you have entered it in Business Central. This value is never displayed again after you leave this page.

Set up Access in Business Central

Create the external application account in Business Central and grant consent as follows:

  1. Login to Dynamics 365 Business Central
  2. Choose the search icon (ALT+Q), enter Microsoft Entra Applications, and then choose the related link.
  3. Select New.
  4. Enter the client id.
  5. Add the relevant permissions for the application to be able to perform the supported tasks.
  6. Select the Grant Consent action to provide access for the application.
Note

Access in Business Central does not need to be set For Delegated permission. However, Admin Consent needs to be performed.

The final step when setting up a permission of the Delegated type is to grant admin consent, which is either done using an in-app action from SmartApps or in the Azure portal by the global administrator of the tenant.

Tip

It is also possible to create an Admin Consent URL to send to a global administrator by combining "https://login.microsoftonline.com/" + "Azure AD tenant" + "adminconsent?client_id=" + "{client id}"

Example link for the mybusiness.com tenant if the Client Id is "8e8144b7-4d3b-436d-9c71-2f045a5bc623": https://login.microsoftonline.com/mybusiness.com/adminconsent?client_id=8e8144b7-4d3b-436d-9c71-2f045a5bc623

See Also

More on API permissions and admin consent on Microsoft Learn